When installing Trusted Solaris software over a network, the system administrator uses the Solaris 8 Advanced Installation Guide in conjunction with the Trusted Solaris exceptions and additions described in this chapter.
Due to the security features in the Trusted Solaris environment, Trusted Solaris software modifies some of the procedures used for network installation, JumpStart installation, and Custom JumpStart installation. Also, the Trusted Solaris security and system administrators must enable access to commands on the installation CD-ROM or its image.
Trusted Solaris software modifies network installation commands and procedures that require greater security. For example, the Volume Manager adds a mounting-user directory when mounting devices in the Trusted Solaris environment.
Table 9-1 Solaris and Trusted Solaris Installation and Configuration Differences
Solaris Software |
Trusted Solaris Software |
---|---|
You can log in as root. |
There is no superuser. You log in as a user who can assume the root role, or as a user who can assume the admin or secadmin role, depending on the task. Then, assume the role to perform the task. |
Processes and files do not have a label. |
All processes and files are labeled. Commands and actions are run at a particular label. Most administrative tasks are run at the label |
Administrators can often use a command line interface, even if a corresponding GUI equivalent exists. |
Many administrative commands are run from a GUI, which calls checking and synchronizing functions. |
Administrators can run an administrative command from a CD-ROM or diskette. |
Commands that are on a diskette or CD-ROM, or are accessible from an NFS mount, may need to be added to the admin role's profile before they can be run. |
Allows you to use a CD-ROM or diskette without allocating it. |
Requires you to allocate a peripheral device at a particular label before its use. Before removing the medium, you must deallocate it. |
The following commands and actions are used when installing Solaris software or Trusted Solaris software over a network, and their use is modified in the Trusted Solaris environment. The following listing describes the additional procedures or security requirements. Commands that do not require a change in procedure are not listed. See the "Preparing to Install Solaris Software Over the Network" in Solaris 8 Advanced Installation Guide for the installation procedures themselves.
Table 9-2 Modified Network Commands
Network Command or GUI |
Trusted Solaris Modification in its Use |
---|---|
setup_install_server(1M) |
You must be in the admin role, at label If the admin role does not have this /pathname/ command in its assigned profiles, the secadmin role, at label For the procedure, see "How to Modify a Role's Rights". |
add_install_client(1M) |
The requirements for this command to succeed are the same as the requirements for those for setup_install_server. |
add_to_install_server(1M) |
The requirements for this command to succeed are the same as those for setup_install_server. |
rm_install_client(1M) |
The requirements for this command to succeed are the same as those for setup_install_server. |
mount(1M) |
The admin role, at label If you are mounting a CD-ROM or diskette on an installed workstation, the admin role must allocate the device at a particular label, usually |
Host Manager |
A graphical user interface that is available from the Solaris Management Console action. You can use Host Manager to specify client information for network installation. This GUI is not available in the Solaris release. |
The following procedures are slightly different in the Trusted Solaris environment. The admin role installs software at the label ADMIN_LOW
; the secadmin role modifies files connected with security.
Installation Procedure |
Trusted Solaris Modification |
---|---|
Create an install server |
Users who can assume the roles admin and secadmin should be present. |
Give mounted media all allowed privileges. |
The secadmin role modifies the rmmount.conf file. See "Give Mounted Media All Allowed Privileges" for the procedure. |
Allocate CD-ROM |
The admin role allocates the CD-ROM drive. See "To Allocate a Device" if you are unsure of the steps. See "Modify Permissions of Mount Point Parent" for additional steps for network install preparation. |
Deallocate CD-ROM |
The admin role deallocates the drive and removes the CD-ROM. See "To Deallocate a Device" if you are unsure of the steps. |
Add a command to a role's profile |
The secadmin role adds a command to a profile when, for example, the command is not located in the expected directory. See "How to Modify a Role's Rights" for this procedure. |
Verify that a command is available to a role |
The role that needs the command, at the appropriate label (usually For the full procedure, see "To Verify That a Command is Available to a Role". See Example 9-1 at the end of this table for a sample verification command. |
Remove a command from a role's profile |
The secadmin role removes the command from the role's profile. This is a security measure, so that the command will not be used at an inappropriate time. For the procedure, see "To Remove a Command from a Role's Rights". |
Add client information with the add_install_client command |
The admin role, on the install server launches the Name Service Switch action. Ensure that the value of ethers and bootparams is files nisplus, as in: ethers: files nisplus dns netmasks: files nisplus dns bootparams: files nisplus dns |
Remove client information with the rm_install_client command |
The admin role, on the install server, executes the rm_install_client command. |
Reboot the install server |
If you are unfamiliar with rebooting a Trusted Solaris workstation, see "To Reboot the Workstation". |
If the commands add_install_client and rm_install_client are in the admin role's profile, the profiles(1) command should display something like the following for a disk image:
$ profiles -l | grep install_client /export/install/ts8_sparc/add_install_client: 4,5,6,10,11,12,17,30,32,33,35,36,39,52,55,57,61,68,69 /export/install/ts8_sparc/rm_install_client: 4,5,6,10,11,12,17,30,32,33,35,36,39,52,55,57,61,68,69 |
To install from a CD-ROM, users who can assume administrative roles must be present. The secadmin role gives all allowed privileges to the CD-ROM device and modifies profiles where necessary. The admin role allocates the device, changes the permissions on the parent of the mount point, and installs the software.
Log in as a user who can assume the secadmin role and assume it.
Open the Admin Editor from the System_Admin folder.
Assign all allowed privileges to mounted removable media in the /etc/rmmount.conf file, as in:
mount * hsfs udfs ufs -o nosuid allowed=all |
Write the file with :wq! and exit the editor.
In the admin role, after allocating the CD-ROM, a File Manager will pop up showing the mount point of the CD-ROM. If it does not appear, bring up a File Manager from the Front Panel.
For Trusted Solaris software, the mount point should be /cdrom/admin-cdrom_0/trusted_sol_8_sparc or /cdrom/admin-cdrom_0/trusted_sol_8_ia.
In the File Manager, highlight /cdrom/admin-cdrom_0, the parent of the mount point.
From the Selected menu, choose Properties.
Note that the directory, named CD-ROM_FOLDER, has mode 700, so it is not searchable. The following steps will fix that.
Click the Show Access Control List button, then Add ...
Highlight the Mask entry and click Change.
Change the Mask to Read and Execute, and click Change.
Click Add..., and enter root in the User field, giving it Read and Execute.
Click Add, then click OK to exit the dialog.
Leave the File Manager up, available for the installation setup commands.
In the File Manager, open the Tools folder, one of /cdrom/admin-cdrom_0/trusted_sol_8_sparc/Trusted_Solaris_8/Tools or /cdrom/admin-cdrom_0/trusted_sol_8_ia/Trusted_Solaris_8/Tools.
From the File menu select Open Terminal.
Still in the admin role, transfer the files from the first CD to the install server by typing
$ ./setup_install_server /export/install/ts8_{sparc,ia} |
Do not double-click on this tool because the command must be started in a profile shell, not the shell defined in the File Manager.
By default, the Software Installation profile contains the exact pathname for this command, assuming that the role name is called "admin". This profile must be modified if a different mount point is used. To modify a profile, see "How to Modify a Role's Rights".
When the pound sign (#) prompt displays, deallocate the CD.
Insert the second CD and allocate it.
For the second CD, still in the admin role, repeat Step 1 through Step 8.
In the File Manager, open the Tools folder on the second CD, one of /cdrom/admin-cdrom_0/trusted_sol_8_sparc/Solaris_8/Tools or /cdrom/admin-cdrom_0/trusted_sol_8_ia/Solaris_8/Tools.
From the File menu select Open Terminal.
Transfer the files from the second CD to the install server by typing
$ ./add_to_install_server /export/install/ts8_{sparc,ia} |
Do not double-click on this tool because the command must be started in a profile shell, not the shell defined in the File Manager.
To complete client installation, editing files and executing commands must be done in the admin role. Follow the instructions for Solaris network installation setup, using the following procedures when needed.
To share the server's network install directories so that they are available to the clients, in the admin role at label ADMIN_LOW
, do the following:
Run the Share Filesystems action from the System_Admin folder in the Application Manager.
The Share Filesystems action opens the /etc/dfs/dfstab file.
Enter the network install directory, and any relevant options.
share -F nfs -o ro,anon=0 -d "netinstall dir" /export/ts8_sparc_install
Write the file and quit the editor.
Open a terminal to run the share(1M) command to share the file systems.
For example,
$ share /export/ts8_sparc_install $ share /jumpstart |
Verify that the directories are shared by running the showmount command:
$ showmount -e export list for install_server: /export/ts8_sparc_install /jumpstart |
If it returns the following error: showmount: server: RPC: Program not registered, start the nfs.server daemon, and verify the directories are shared.
$ /etc/init.d/nfs.server stop $ /etc/init.d/nfs.server start $ showmount -e export list for install_server: /export/ts8_sparc_install /jumpstart |
To modify or create files in the /etc directory, use the Admin Editor from the System_Admin folder in the Application Manager in order to give the file the correct security attributes.
See "To Create or Open a File from the Trusted Editor" for how to create or modify a file using the Admin Editor. For example, to create an empty ethers file, do the following:
Run the Name Service Switch action from the System_Admin folder.
Run the Admin Editor action, and enter /etc/nsswitch.conf as the file to edit.
Change the ethers, netmasks, and bootparams entries in the file to read as follows:
ethers: files nisplus dns netmasks: files nisplus dns bootparams: files nisplus dns
After adding clients to the network install server, reboot the server before attempting to install the clients over the network.
In the Trusted Solaris environment, Custom JumpStart procedures are handled by administrative roles. For an explanation of Custom JumpStart, see "Preparing Custom JumpStart Installations" in Solaris 8 Advanced Installation Guide. Prepare to modify Custom JumpStart procedures with Trusted Solaris security requirements, such as device allocation and task allocation by role.
Factory-installed JumpStart may not be supported by Trusted Solaris software.
The following procedures are slightly different in the Trusted Solaris environment.
The Trusted Solaris environment does not support mounting remote file systems during installation.
Custom JumpStart Procedure |
Trusted Solaris Modification |
---|---|
Create a Custom JumpStart diskette |
Users who can assume the roles admin and secadmin should be present. |
Allocate diskette drive |
As admin, at label |
Deallocate diskette drive |
As admin, at label |
Format a diskette |
As admin, at label |
Create a filesystem on a diskette |
As admin, at label |
Create a mount point on a diskette |
As admin, at label |
Mount the directory |
As admin, at label See Example 9-2 at the end of this table for a sample mount command. |
Populate the directory |
As admin, at label |
Create a JumpStart directory on a server |
As admin, at label |
Share the directory |
For details of the procedure, see "How to Share a File System". |
Share the file system |
For details of the procedure, see "How to Share a File System". |
Enable access to JumpStart directory |
As admin, at label |
Check access to JumpStart directory |
On the install server, as role admin at label For details, see "To Locate a Solaris Management Console Tool". |
To create a UFS file system on a diskette to be used for Custom JumpStart, as admin at ADMIN_LOW
:
$ mkdir /ts8_jumpstart $ mount -F ufs /dev/diskette /ts8_jumpstart |
Use the Trusted Solaris information in the following table to modify the procedures in "Creating a Profile" in Solaris 8 Advanced Installation Guide.
Table 9-5 Modified JumpStart Profile Procedures
Solaris Procedure |
Trusted Solaris Modification |
---|---|
Edit a profile file. |
As admin role at label For how to use the Admin Editor, see "To Create or Open a File from the Trusted Editor". The upgrade keyword is not supported in Trusted Solaris 8. |
Use the Trusted Solaris information that follows to modify the procedures in "Testing a Profile" in Solaris 8 Advanced Installation Guide and "pfinstall" in Solaris 8 Advanced Installation Guide.
In the Trusted Solaris environment, testing profiles is handled by the admin role.
On an installed and configured Trusted Solaris host, log in as a user who can assume the admin role.
As admin at label ADMIN_LOW
, launch a terminal and see that the pfinstall(1M) command is available
in the role's profile shell.
$ profiles -l | grep pfinstall |
The name profile shell refers to a shell that recognizes Trusted Solaris execution profiles. It does not refer to the machine profiles being tested here.
If the command is not in the profile, the secadmin role must add it to the admin role's rights, and then the admin role launches a new terminal in which to run the command.
See "How to Modify a Role's Rights" for how to add the pfinstall command to the admin role's rights profile.
Use the Trusted Solaris information in the following table to modify the procedures in "Creating the rules File" in Solaris 8 Advanced Installation Guide.
Table 9-6 Modified JumpStart Rule Procedures
Solaris Procedure |
Trusted Solaris Modification |
---|---|
Edit a rules file |
As role admin at label For how to use the Admin Editor, see "To Create or Open a File from the Trusted Editor". |
Use a Trusted Solaris-specific value for a keyword |
For the installed option, the version keyword. version - A version name, such as Trusted_Solaris_8, or the special word any. If any is used, any Trusted Solaris or SunOS release is matched. |
|
For the osname option, the version keyword. version -- A version of Trusted Solaris the Trusted Solaris environment installed on the workstation: for example, Trusted Solaris 7. |
Validate a rules file | |
Copy a rules file |
As admin at label |
Use the Trusted Solaris information that follows to modify the procedures in "Using Optional Custom JumpStart Features" in Solaris 8 Advanced Installation Guide.
Use the Trusted Solaris information in the following table to modify the procedures in "Creating Begin Scripts" in Solaris 8 Advanced Installation Guide and "Creating Finish Scripts" in Solaris 8 Advanced Installation Guide.
Table 9-7 Modified JumpStart Script Procedures
Solaris Procedure |
Trusted Solaris Modification |
---|---|
Create a begin or finish script |
Scripts are handled by the admin role at label |
The scripts must be profile shell scripts, such as pfsh or pfksh. See the pfexec(1) man page. |
Begin and finish scripts in the Trusted Solaris environment are edited by an administrative role, and run in a profile shell. See the pfexec(1) man page for information on profile shells.
Add the last line in the example finish script to every finish script you create.
#!/bin/pfsh /usr/sbin/reboot |
Use the Trusted Solaris information that follows to modify the procedure in "To Add Files With a Finish Script" in Solaris 8 Advanced Installation Guide.
For example, if you are using a custom JumpStart diskette to install Trusted Solaris software, place a copy of the site's label_encodings file into the JumpStart directory on the diskette.
The following finish script copies the file from the JumpStart directory into a workstation's /etc/security/tsol directory during a custom JumpStart installation:
#!/bin/pfsh cp ${SI_CONFIG_DIR}/ label_encodings /a/etc/security/tsol |
Use the Trusted Solaris information that follows to modify the procedures in "Setting the System's Root Password With a Finish Script" in Solaris 8 Advanced Installation Guide.
As admin at label ADMIN_LOW
, set the variable PASSWD to an encrypted root password obtained from an existing entry in a workstation's /etc/shadow file.
If you set your root password by using a finish script, be sure to safeguard against those who will try to discover the root password from the encrypted password in the finish script.
In the Trusted Solaris environment, configuration files are handled by the admin role. Use the following information to modify the procedures in "Creating Disk Configuration Files" in Solaris 8 Advanced Installation Guide.The Intel architecture procedure also modifies "fdisk" in Solaris 8 Advanced Installation Guide.
Log on as a user who can assume the admin role.
As admin at label ADMIN_LOW
, launch a terminal and determine the device name for the workstation's disk.
Redirect the output of prtvtoc to create the disk configuration file:
$ prtvtoc /dev/rdsk/device_name > disk_config |
As admin at label ADMIN_LOW
, redirect the output of the following prtvtoc command to a file.
$ prtvtoc /dev/rdsk/device_name > file1 |
Save the output of the following fdisk command to a file.
$ fdisk -R -d -n /dev/rdsk/device_name 2>file2 |
Concatenate the two files to create a disk configuration file.
$ cat file1 file2 > disk_config |
Copy the disk configuration file to the JumpStart directory: :
$ cp disk_config jumpstart_dir_path |
Use the Trusted Solaris information that follows to modify the example in "Example of Setting Up and Installing Solaris Software With Custom JumpStart" in Solaris 8 Advanced Installation Guide.
In the Trusted Solaris environment, the Solaris JumpStart marketing and engineering example requires a user to assume the admin role.
The site uses NIS+. The Ethernet addresses, IP addresses, and host names are in NIS+ tables.
JumpStart information must use "None" for the naming service. Hosts installed by JumpStart are cliented after JumpStart finishes.
All commands are done by a particular role at a particular label, usually ADMIN_LOW
. To execute a command, the role must have the command at that label in its Rights Profile.
All directories are created by the admin role at the label ADMIN_LOW
, as in:
$ cp -r /export/install/jumpstart_sample /jumpstart |
To create a shared directory, in the admin role at label ADMIN_LOW
follow the procedure in "How to Share a File System" to create a vfstab entry, as in:
share -F nfs -o ro,anon=0 /jumpstart
To create a profile, the security administrator in the admin role at label ADMIN_LOW
uses the Admin Editor action.
To edit the rules file, the admin role at the label ADMIN_LOW
uses the Admin Editor action.
To execute the check script, the admin role at the label ADMIN_LOW
runs the check(1M) script,
as in:
$ cd /jumpstart $ ./check |
On the install server, the admin role at the label ADMIN_LOW
uses the add_install_client(1M)
command:
$ cd /export/install $ ./add_install_client -c server_1:/jumpstart host_eng1 sun4u $ ./add_install_client -c server_1:/jumpstart host_eng2 sun4u . |
An administrator in the admin role at label ADMIN_LOW
then uses the setup_install_server(1M)
command that copies the boot software from the CD to the marketing server.
$ cd /cdrom/cdrom0/s0/Trusted_Solaris_8/Tools $ ./setup_install_server -b /marketing/boot-dir sun4c |
At label ADMIN_LOW
, the admin role uses the add_install_client command on the marketing group's boot
server.
$ cd /marketing/boot-dir $ ./add_install_client -s server_1:/export/install \ -c server_1:/jumpstart host_mkt1 sun4c $ ./add_install_client -s server_1:/export/install \ -c server_1:/jumpstart host_mkt2 sun4c ... |