Trusted Solaris Installation and Configuration

Chapter 9 Installing Trusted Solaris Over a Network

When installing Trusted Solaris software over a network, the system administrator uses the Solaris 8 Advanced Installation Guide in conjunction with the Trusted Solaris exceptions and additions described in this chapter.

Due to the security features in the Trusted Solaris environment, Trusted Solaris software modifies some of the procedures used for network installation, JumpStart installation, and Custom JumpStart installation. Also, the Trusted Solaris security and system administrators must enable access to commands on the installation CD-ROM or its image.

Trusted Solaris Modifications to Network Installation

Trusted Solaris software modifies network installation commands and procedures that require greater security. For example, the Volume Manager adds a mounting-user directory when mounting devices in the Trusted Solaris environment.

Table 9-1 Solaris and Trusted Solaris Installation and Configuration Differences


Solaris Software	Trusted Solaris Software
You can log in as root.	There is no superuser. You log in as a user who can assume the root role, or as a user who can assume the admin or secadmin role, depending on the task. Then, assume the role to perform the task.
Processes and files do not have a label.	All processes and files are labeled. Commands and actions are run at a particular label. Most administrative tasks are run at the label `ADMIN_LOW`.
Administrators can often use a command line interface, even if a corresponding GUI equivalent exists.	Many administrative commands are run from a GUI, which calls checking and synchronizing functions.
Administrators can run an administrative command from a CD-ROM or diskette.	Commands that are on a diskette or CD-ROM, or are accessible from an NFS mount, may need to be added to the admin role's profile before they can be run.
Allows you to use a CD-ROM or diskette without allocating it.	Requires you to allocate a peripheral device at a particular label before its use. Before removing the medium, you must deallocate it.

Modifications to Network Installation Commands

The following commands and actions are used when installing Solaris software or Trusted Solaris software over a network, and their use is modified in the Trusted Solaris environment. The following listing describes the additional procedures or security requirements. Commands that do not require a change in procedure are not listed. See the "Preparing to Install Solaris Software Over the Network" in Solaris 8 Advanced Installation Guide for the installation procedures themselves.

Table 9-2 Modified Network Commands


Network Command or GUI	Trusted Solaris Modification in its Use
setup_install_server(1M)	You must be in the admin role, at label `ADMIN_LOW`, in a terminal where the command is in a profile assigned to the admin role. If the admin role does not have this `/pathname/` command in its assigned profiles, the secadmin role, at label `ADMIN_LOW`, must add it to the Custom Admin Role profile. For the procedure, see "How to Modify a Role's Rights".
add_install_client(1M)	The requirements for this command to succeed are the same as the requirements for those for `setup_install_server`.
add_to_install_server(1M)	The requirements for this command to succeed are the same as those for `setup_install_server`.
rm_install_client(1M)	The requirements for this command to succeed are the same as those for `setup_install_server`.
mount(1M)	The admin role, at label `ADMIN_LOW`, runs this command. If you are mounting a CD-ROM or diskette on an installed workstation, the admin role must allocate the device at a particular label, usually `ADMIN_LOW`. When the medium is removed, the device must be deallocated.
Host Manager	A graphical user interface that is available from the Solaris Management Console action. You can use Host Manager to specify client information for network installation. This GUI is not available in the Solaris release.

Modifications to Network Installation Procedures

The following procedures are slightly different in the Trusted Solaris environment. The admin role installs software at the label ADMIN_LOW; the secadmin role modifies files connected with security.

Table 9-3 Modified Network Installation Procedures


Installation Procedure	Trusted Solaris Modification
Create an install server	Users who can assume the roles admin and secadmin should be present.
Give mounted media all allowed privileges.	The secadmin role modifies the `rmmount.conf` file. See "Give Mounted Media All Allowed Privileges" for the procedure.
Allocate CD-ROM	The admin role allocates the CD-ROM drive. See "To Allocate a Device" if you are unsure of the steps. See "Modify Permissions of Mount Point Parent" for additional steps for network install preparation.
Deallocate CD-ROM	The admin role deallocates the drive and removes the CD-ROM. See "To Deallocate a Device" if you are unsure of the steps.
Add a command to a role's profile	The secadmin role adds a command to a profile when, for example, the command is not located in the expected directory. See "How to Modify a Role's Rights" for this procedure.
Verify that a command is available to a role	The role that needs the command, at the appropriate label (usually `ADMIN_LOW`), verifies that a command that the security administrator has added to the role's profile is available to the role. For the full procedure, see "To Verify That a Command is Available to a Role". See Example 9-1 at the end of this table for a sample verification command.
Remove a command from a role's profile	The secadmin role removes the command from the role's profile. This is a security measure, so that the command will not be used at an inappropriate time. For the procedure, see "To Remove a Command from a Role's Rights".
Add client information with the add_install_client command	The admin role, on the install server launches the Name Service Switch action. Ensure that the value of `ethers` and `bootparams` is `files nisplus`, as in: ethers: files nisplus dns netmasks: files nisplus dns bootparams: files nisplus dns
Remove client information with the rm_install_client command	The admin role, on the install server, executes the `rm_install_client` command.
Reboot the install server	If you are unfamiliar with rebooting a Trusted Solaris workstation, see "To Reboot the Workstation".

Example 9-1 Admin Role Verifying that a Command is Available

If the commands add_install_client and rm_install_client are in the admin role's profile, the profiles(1) command should display something like the following for a disk image:

$ profiles -l | grep install_client
/export/install/ts8_sparc/add_install_client: 4,5,6,10,11,12,17,30,32,33,35,36,39,52,55,57,61,68,69
/export/install/ts8_sparc/rm_install_client:  4,5,6,10,11,12,17,30,32,33,35,36,39,52,55,57,61,68,69

Additional Steps to Set up Software Installation

To install from a CD-ROM, users who can assume administrative roles must be present. The secadmin role gives all allowed privileges to the CD-ROM device and modifies profiles where necessary. The admin role allocates the device, changes the permissions on the parent of the mount point, and installs the software.

Give Mounted Media All Allowed Privileges

Open the Admin Editor from the System_Admin folder.

Assign all allowed privileges to mounted removable media in the /etc/rmmount.conf file, as in:
mount * hsfs udfs ufs -o nosuid allowed=all

Write the file with :wq! and exit the editor.

Modify Permissions of Mount Point Parent

In the admin role, after allocating the CD-ROM, a File Manager will pop up showing the mount point of the CD-ROM. If it does not appear, bring up a File Manager from the Front Panel.

For Trusted Solaris software, the mount point should be /cdrom/admin-cdrom_0/trusted_sol_8_sparc or /cdrom/admin-cdrom_0/trusted_sol_8_ia.

In the File Manager, highlight /cdrom/admin-cdrom_0, the parent of the mount point.

From the Selected menu, choose Properties.

Note that the directory, named CD-ROM_FOLDER, has mode 700, so it is not searchable. The following steps will fix that.

Click the Show Access Control List button, then Add ...

Highlight the Mask entry and click Change.

Change the Mask to Read and Execute, and click Change.

Click Add..., and enter root in the User field, giving it Read and Execute.

Click Add, then click OK to exit the dialog.

Leave the File Manager up, available for the installation setup commands.

Load Trusted Solaris Images from CDs

In the File Manager, open the Tools folder, one of /cdrom/admin-cdrom_0/trusted_sol_8_sparc/Trusted_Solaris_8/Tools or /cdrom/admin-cdrom_0/trusted_sol_8_ia/Trusted_Solaris_8/Tools.

From the File menu select Open Terminal.

Still in the admin role, transfer the files from the first CD to the install server by typing
$ ./setup_install_server /export/install/ts8_{sparc,ia}
Note -
Do not double-click on this tool because the command must be started in a profile shell, not the shell defined in the File Manager.

By default, the Software Installation profile contains the exact pathname for this command, assuming that the role name is called "admin". This profile must be modified if a different mount point is used. To modify a profile, see "How to Modify a Role's Rights".

When the pound sign (#) prompt displays, deallocate the CD.

Insert the second CD and allocate it.

For the second CD, still in the admin role, repeat Step 1 through Step 8.

In the File Manager, open the Tools folder on the second CD, one of /cdrom/admin-cdrom_0/trusted_sol_8_sparc/Solaris_8/Tools or /cdrom/admin-cdrom_0/trusted_sol_8_ia/Solaris_8/Tools.

From the File menu select Open Terminal.

Transfer the files from the second CD to the install server by typing
$ ./add_to_install_server /export/install/ts8_{sparc,ia}
Note -
Do not double-click on this tool because the command must be started in a profile shell, not the shell defined in the File Manager.

Set up the Network Install Server for Installation Clients

To complete client installation, editing files and executing commands must be done in the admin role. Follow the instructions for Solaris network installation setup, using the following procedures when needed.

To share the server's network install directories so that they are available to the clients, in the admin role at label ADMIN_LOW, do the following:
1. Run the Share Filesystems action from the System_Admin folder in the Application Manager.
  
  The Share Filesystems action opens the /etc/dfs/dfstab file.
2. Enter the network install directory, and any relevant options.
  
  For example,
```
   share -F nfs -o ro,anon=0 -d "netinstall dir" /export/ts8_sparc_install
```
3. Write the file and quit the editor.
4. Open a terminal to run the share(1M) command to share the file systems.
  
  For example,
  $ share /export/ts8_sparc_install $ share /jumpstart
5. Verify that the directories are shared by running the showmount command:
  $ showmount -e export list for install_server: /export/ts8_sparc_install /jumpstart
6. If it returns the following error: showmount: server: RPC: Program not registered, start the nfs.server daemon, and verify the directories are shared.
  $ /etc/init.d/nfs.server stop $ /etc/init.d/nfs.server start $ showmount -e export list for install_server: /export/ts8_sparc_install /jumpstart

To modify or create files in the /etc directory, use the Admin Editor from the System_Admin folder in the Application Manager in order to give the file the correct security attributes.

See "To Create or Open a File from the Trusted Editor" for how to create or modify a file using the Admin Editor. For example, to create an empty ethers file, do the following:
1. In the admin role in an ADMIN_LOW workspace, invoke the Admin Editor.
2. Enter the full path to the file, /etc/ethers.
3. Once the editor is open, type :wq to save the empty file.

Run the Name Service Switch action from the System_Admin folder.

Run the Admin Editor action, and enter /etc/nsswitch.conf as the file to edit.

Change the ethers, netmasks, and bootparams entries in the file to read as follows:
```
   ethers: files nisplus dns
netmasks: files nisplus dns
bootparams: files nisplus dns
```
Note -
After adding clients to the network install server, reboot the server before attempting to install the clients over the network.

Trusted Solaris Modifications to Custom JumpStart

In the Trusted Solaris environment, Custom JumpStart procedures are handled by administrative roles. For an explanation of Custom JumpStart, see "Preparing Custom JumpStart Installations" in Solaris 8 Advanced Installation Guide. Prepare to modify Custom JumpStart procedures with Trusted Solaris security requirements, such as device allocation and task allocation by role.

Note -

Factory-installed JumpStart may not be supported by Trusted Solaris software.

Modifications to Custom JumpStart Procedures

The following procedures are slightly different in the Trusted Solaris environment.

Note -

The Trusted Solaris environment does not support mounting remote file systems during installation.

Table 9-4 Modified Custom JumpStart Procedures Setup


Custom JumpStart Procedure	Trusted Solaris Modification
Create a Custom JumpStart diskette	Users who can assume the roles admin and secadmin should be present.
Allocate diskette drive	As admin, at label `ADMIN_LOW`, allocate the floppy drive. See "To Allocate a Device" if you are unsure of the steps.
Deallocate diskette drive	As admin, at label `ADMIN_LOW`, deallocate the drive and remove the diskette. See "To Deallocate a Device" if you are unsure of the steps.
Format a diskette	As admin, at label `ADMIN_LOW`, run the `fdformat` command.
Create a filesystem on a diskette	As admin, at label `ADMIN_LOW`, run the `newfs` command.
Create a mount point on a diskette	As admin, at label `ADMIN_LOW`, run the `mkdir` command.
Mount the directory	As admin, at label `ADMIN_LOW`, run the `mount` command. See Example 9-2 at the end of this table for a sample `mount` command.
Populate the directory	As admin, at label `ADMIN_LOW`, run the `cp` command to copy the JumpStart sample directory to the diskette.
Create a JumpStart directory on a server	As admin, at label `ADMIN_LOW`, run the `mkdir` command.
Share the directory	For details of the procedure, see "How to Share a File System".
Share the file system	For details of the procedure, see "How to Share a File System".
Enable access to JumpStart directory	As admin, at label `ADMIN_LOW`, use the `-c` option to the `add_install_client` command to add JumpStart details to the local `bootparams` database.
Check access to JumpStart directory	On the install server, as role admin at label `ADMIN_LOW`, view the `bootparams` database. For details, see "To Locate a Solaris Management Console Tool".

Example 9-2 Mount a UFS Filesystem on a Diskette

To create a UFS file system on a diskette to be used for Custom JumpStart, as admin at ADMIN_LOW:

$ mkdir /ts8_jumpstart
$ mount -F ufs /dev/diskette /ts8_jumpstart

Modifications to Custom JumpStart Profiles

Use the Trusted Solaris information in the following table to modify the procedures in "Creating a Profile" in Solaris 8 Advanced Installation Guide.

Table 9-5 Modified JumpStart Profile Procedures


Solaris Procedure	Trusted Solaris Modification
Edit a profile file.	As admin role at label `ADMIN_LOW`, use the Admin Editor action. For how to use the Admin Editor, see "To Create or Open a File from the Trusted Editor". The upgrade keyword is not supported in Trusted Solaris 8.

Use the Trusted Solaris information that follows to modify the procedures in "Testing a Profile" in Solaris 8 Advanced Installation Guide and "pfinstall" in Solaris 8 Advanced Installation Guide.

In the Trusted Solaris environment, testing profiles is handled by the admin role.

How to Use pfinstall to Test a Profile

On an installed and configured Trusted Solaris host, log in as a user who can assume the admin role.

As admin at label ADMIN_LOW, launch a terminal and see that the pfinstall(1M) command is available in the role's profile shell.
$ profiles -l | grep pfinstall
Note -
The name profile shell refers to a shell that recognizes Trusted Solaris execution profiles. It does not refer to the machine profiles being tested here.

If the command is not in the profile, the secadmin role must add it to the admin role's rights, and then the admin role launches a new terminal in which to run the command.

See "How to Modify a Role's Rights" for how to add the pfinstall command to the admin role's rights profile.

Modifications to Custom JumpStart Rules

Use the Trusted Solaris information in the following table to modify the procedures in "Creating the rules File" in Solaris 8 Advanced Installation Guide.

Table 9-6 Modified JumpStart Rule Procedures


Solaris Procedure	Trusted Solaris Modification
Edit a rules file	As role admin at label `ADMIN_LOW`, use the Admin Editor action. For how to use the Admin Editor, see "To Create or Open a File from the Trusted Editor".
Use a Trusted Solaris-specific value for a keyword	For the `installed` option, the `version` keyword. `version` - A version name, such as `Trusted_Solaris_8`, or the special word `any`. If `any` is used, any Trusted Solaris or SunOS release is matched.
	For the `osname` option, the `version` keyword. `version` -- A version of Trusted Solaris the Trusted Solaris environment installed on the workstation: for example, Trusted Solaris 7.
Validate a rules file	Run the `check` script as role admin at label `ADMIN_LOW`.
Copy a rules file	As admin at label `ADMIN_LOW`, copy the file.

Modifications to Optional Custom JumpStart

Use the Trusted Solaris information that follows to modify the procedures in "Using Optional Custom JumpStart Features" in Solaris 8 Advanced Installation Guide.

Modifications to Begin and Finish Scripts

Use the Trusted Solaris information in the following table to modify the procedures in "Creating Begin Scripts" in Solaris 8 Advanced Installation Guide and "Creating Finish Scripts" in Solaris 8 Advanced Installation Guide.

Table 9-7 Modified JumpStart Script Procedures


Solaris Procedure	Trusted Solaris Modification
Create a begin or finish script	Scripts are handled by the admin role at label `ADMIN_LOW` using the Admin Editor action.
	The scripts must be profile shell scripts, such as `pfsh` or `pfksh`. See the pfexec(1) man page.

Trusted Solaris Script Examples

Begin and finish scripts in the Trusted Solaris environment are edited by an administrative role, and run in a profile shell. See the pfexec(1) man page for information on profile shells.

Reboot the Workstation with a Finish Script

Add the last line in the example finish script to every finish script you create.

#!/bin/pfsh
/usr/sbin/reboot

Add label_encodings File with a Finish Script

Note -

Use the Trusted Solaris information that follows to modify the procedure in "To Add Files With a Finish Script" in Solaris 8 Advanced Installation Guide.

For example, if you are using a custom JumpStart diskette to install Trusted Solaris software, place a copy of the site's label_encodings file into the JumpStart directory on the diskette.

The following finish script copies the file from the JumpStart directory into a workstation's /etc/security/tsol directory during a custom JumpStart installation:

#!/bin/pfsh
cp ${SI_CONFIG_DIR}/ label_encodings  /a/etc/security/tsol

Set the Root Password With a Finish Script

Note -

Use the Trusted Solaris information that follows to modify the procedures in "Setting the System's Root Password With a Finish Script" in Solaris 8 Advanced Installation Guide.

As admin at label ADMIN_LOW, set the variable PASSWD to an encrypted root password obtained from an existing entry in a workstation's /etc/shadow file.

Caution -

If you set your root password by using a finish script, be sure to safeguard against those who will try to discover the root password from the encrypted password in the finish script.

Modifications to Creating a Disk Configuration File

In the Trusted Solaris environment, configuration files are handled by the admin role. Use the following information to modify the procedures in "Creating Disk Configuration Files" in Solaris 8 Advanced Installation Guide.The Intel architecture procedure also modifies "fdisk" in Solaris 8 Advanced Installation Guide.

SPARC: To Create a SPARC Disk Configuration File

Log on as a user who can assume the admin role.

As admin at label ADMIN_LOW, launch a terminal and determine the device name for the workstation's disk.

Redirect the output of prtvtoc to create the disk configuration file:
$ prtvtoc /dev/rdsk/device_name > disk_config

IA: To Create an Intel Disk Configuration File

As admin at label ADMIN_LOW, redirect the output of the following prtvtoc command to a file.
$ prtvtoc /dev/rdsk/device_name > file1

Save the output of the following fdisk command to a file.
$ fdisk -R -d -n /dev/rdsk/device_name 2>file2

Concatenate the two files to create a disk configuration file.
$ cat file1 file2 > disk_config

Copy the disk configuration file to the JumpStart directory: :
$ cp disk_config jumpstart_dir_path

Trusted Solaris Differences for a JumpStart Example

Note -

Use the Trusted Solaris information that follows to modify the example in "Example of Setting Up and Installing Solaris Software With Custom JumpStart" in Solaris 8 Advanced Installation Guide.

In the Trusted Solaris environment, the Solaris JumpStart marketing and engineering example requires a user to assume the admin role.

The site uses NIS+. The Ethernet addresses, IP addresses, and host names are in NIS+ tables.
JumpStart information must use "None" for the naming service. Hosts installed by JumpStart are cliented after JumpStart finishes.
All commands are done by a particular role at a particular label, usually ADMIN_LOW. To execute a command, the role must have the command at that label in its Rights Profile.
All directories are created by the admin role at the label ADMIN_LOW, as in:
$ cp -r /export/install/jumpstart_sample /jumpstart
To create a shared directory, in the admin role at label ADMIN_LOW follow the procedure in "How to Share a File System" to create a vfstab entry, as in:
```
   share -F nfs -o ro,anon=0 /jumpstart
```
To create a profile, the security administrator in the admin role at label ADMIN_LOW uses the Admin Editor action.
To edit the rules file, the admin role at the label ADMIN_LOW uses the Admin Editor action.
To execute the check script, the admin role at the label ADMIN_LOW runs the check(1M) script, as in:
$ cd /jumpstart $ ./check

Set up the engineering systems for installation

On the install server, the admin role at the label ADMIN_LOW uses the add_install_client(1M) command:

$ cd /export/install
$ ./add_install_client -c server_1:/jumpstart host_eng1 sun4u
$ ./add_install_client -c server_1:/jumpstart host_eng2 sun4u
	.

Set up the marketing systems for installation

An administrator in the admin role at label ADMIN_LOW then uses the setup_install_server(1M) command that copies the boot software from the CD to the marketing server.

$ cd /cdrom/cdrom0/s0/Trusted_Solaris_8/Tools
$ ./setup_install_server -b /marketing/boot-dir sun4c

At label ADMIN_LOW, the admin role uses the add_install_client command on the marketing group's boot server.

$ cd /marketing/boot-dir
$ ./add_install_client -s server_1:/export/install \
-c server_1:/jumpstart host_mkt1 sun4c
$ ./add_install_client -s server_1:/export/install \
-c server_1:/jumpstart host_mkt2 sun4c	...