This chapter covers how to configure a system without a name service. Administration is through local files.
Installation and configuration commands and actions are limited to particular roles and particular labels. Read each task for the administrative role that can perform it, and the label required.
Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the computer, the software enforces task division by role. If two-person installation is not a site security requirement, you can assign the administrative roles to one person.
A system that is administered using local files instead of a name service is configured much like a name server, except that only local files are used for administration rather than name service tables or maps.
If you are configuring the system to satisfy criteria for an evaluated configuration, read "Understanding Your Site's Security Policy" before continuing.
Task |
Description |
---|---|
Initial Configuration -- from "Logging In and Launching a Terminal" through "Initializing the Solaris Management Console" |
Covers how to protect the hardware, set up the labels, and initialize the administration tools. |
Covers how to set up static routing. |
|
Covers how to specify all hosts that can communicate with the system. |
|
Covers how to create administrative roles and users to those roles. |
|
Covers how to test that the roles are effective. |
|
Covers how to share and mount file systems, and how to delete the install user. Points you to auditing and further setup information, |
At most sites, two or more administrators, an install team, are present when configuring the system. "You", in the following procedures, refers to the install team.
The predefined user install logs in immediately after installation to configure the system.
Enter install as the user name and press the Return key.
The Password dialog box is displayed.
Enter install for the password.
The Enable Logins dialog offers four choices, as shown in the following figure:
Depending on site security requirements, enter 1 or 2, then click OK.
The Message Of the Day (MOTD) dialog box is displayed; the label is ADMIN_LOW
.
Click OK to dismiss the MOTD dialog box.
The Trusted Solaris screen appears briefly. Then you are in a CDE workspace, as shown in Figure 4-2. The trusted stripe below the front panel shows the window sensitivity label.
The install team must log off or utilize the lockscreen functionality before leaving a system unattended. Otherwise a person may have access to the system without having to pass identification and authentication, and that person would not be uniquely identified or accountable.
An administrative role configures the system, however, a role cannot log in. Users log in, and assume one or more of their assigned roles. The root role has been pre-assigned to the user install.
Right click on the middle of the Front Panel.
Select Assume root Role from the TP (Trusted Path) menu.
After initial installation from a CD-ROM, only the root role will be displayed on the TP menu, since no other roles have been created.
At the password prompt, enter the password for the root role.
The password for the root role is the password that the install team entered for root when prompted during the installation program.
Right-click on the screen background and select Tools -> Terminal from the Workspace Menu.
The terminal's Options menu enables you to customize the appearance of the terminal. Customizations for the install user are not saved.
For more information on PROM values that you can set, see OpenBoot 2.x Command Reference Manual or OpenBoot 3.x Command Reference Manual.
In the terminal, enter the PROM security mode.
# eeprom security-mode=command Changing PROM password: New password: password Retype new password: password |
Choose the value command or full. See the eeprom(1M) man page for more details.
If you are not prompted to enter a PROM password, the system already has a PROM password. To change the PROM password, run the command:
# eeprom security-password=Return Changing PROM password: New password: password Retype new password: password |
The new PROM security mode and password are in effect immediately, but are most likely to be noticed at the next boot.
Do not forget this password. The hardware is unusable without it.
On Intel architecture, the equivalent to protecting the PROM is to protect the BIOS.
Refer to your machine's manuals for how to protect the BIOS.
The default label_encodings file is useful for demos, but it is not a good choice for use by a customer site. However, if you plan to use it, you can skip this step.
The Trusted Solaris label_encodings(4) file has been checked and is installed. Note that it must be compatible with any Trusted Solaris host with which you are communicating.
If you are familiar with label encodings files, you can use the following procedure. However, if you are not familiar with label encodings files, consult Trusted Solaris Label Administration for requirements, procedures, and examples.
You can edit the placeholder label_encodings(4) file that the Trusted Solaris installation program installed, or install your own. The security administrator is responsible for editing, checking, and maintaining the label_encodings file.
You must successfully install labels before continuing or the installation will fail.
The label_encodings file is protected at the label ADMIN_HIGH
. For security, you copy, edit, check and install your label encodings file
at ADMIN_HIGH
.
Click the right menu button over the root workspace switch to bring up the TP menu, and select Add Workspace.
A second workspace, named root_1, is created and active.
Click the right menu button over the root_1 workspace switch, and choose Change Workspace Label from the menu.
Click the ADMIN_HIGH
label in the Label Builder and click OK.
The color of the workspace switch changes to the color associated with the label ADMIN_HIGH
. Actions, terminals, commands and windows originating from this workspace run at the label ADMIN_HIGH
.
In the ADMIN_HIGH
workspace, click the left mouse button on the triangle above the Style Manager icon on the Front Panel.
Its Tools subpanel includes the Device Allocation icon.
Double-click the device you want to allocate.
floppy_0 indicates a diskette.
Click Yes to mount the device.
A File Manager pops up showing the mount point. If it does not pop up, open a File Manager from the Front Panel, navigate to /, and double-click floppy.
If you plan to tweak the label encodings file, make sure that the file itself is writable.
In the ADMIN_HIGH
workspace, open the Application Manager by clicking the right mouse button on the background to bring up the Workspace menu.
Choose Applications -> Application Manager from the top of the menu.
Double-click the System_Admin folder icon --
Check the syntax of the new label encodings file by double-clicking the Check Encodings action.
You can ignore any Trash Can Error dialog error messages.
In the dialog box, enter the full path name to the file:
/floppy/floppy0/label-encodings-filename |
Read the contents of the Check Encodings dialog box that is displayed.
The chk_encodings(1M) command checks the syntax of the file.
If the file passes the check, answer yes to overwrite the currently-installed label_encodings file.
The Check Encodings action creates a backup copy (naming it label_encodings.orig), installs the checked version, then restarts the label daemon.
Only if it reports no errors can you continue installing.
If it reports errors, they must be resolved before continuing with installation.
Consult "Creating or Editing the Encodings File" in Trusted Solaris Label Administration for troubleshooting assistance.
Your label encodings file must pass the Check Encodings test before you continue.
In the workspace where the Device Allocation action is displayed, double-click the device to be deallocated from the list of allocated devices.
Remove the diskette and click OK in the Deallocation dialog box.
Return to root's ADMIN_LOW
workspace by clicking the root workspace switch.
In the root role in an ADMIN_LOW
workspace, start the SMC server process in the terminal window.
# smc |
The smc command initializes the SMC server. The first time the server is launched, it performs several registration tasks, which can take a few minutes.
If toolbox icons do not appear in the Solaris Management Console,
And the Navigation pane is not visible:
In the Open Toolbox dialog that is displayed, click Load next to where this machine's name is listed under Server.
If this machine does not have the recommended amount of memory and swap, it may take a few minutes for the toolboxes to display. See "Recommendations for the Trusted Solaris Environment".
From the list of toolboxes, select Trusted Solaris Management Console, then click the Open button.
And the Navigation pane is visible, but the toolbox icons are stop signs:
Exit the SMC by choosing Exit from the Console pull-down men
Restart the SMC
# smc |
Open the Trusted Solaris Management Console toolboxes by choosing Open from the Console menu, then selecting Trusted Solaris Management Console. The following figure shows the Navigation Pane of the Solaris Management Console in the Files scope.
Saving the toolbox preference enables the Trusted Solaris Management Console toolboxes to load by default. The preferences are saved per role, per host (SMC server).
From the Console menu, choose Preferences.
Click the Use Current Toolbox button, then click OK.
If you are configuring the name service master, return to "(Optional) Configuring Routing" in Chapter 5, Configuring a Name Service Master. Otherwise, continue.
Set up static routing only if the security administrator has planned for an open network and you do not plan to use dynamic routing. Dynamic routing is the default, and requires no setup.
See "Administering Trusted Networking" in Trusted Solaris Administration Overview for more information.
For static routing, do one of "Set Up Simple Static Routing" or "Set up Static Routing Using Extended Metrics".
For small networks, an /etc/defaultrouter file provides a simple routing method.
Double-click the Set Default Routes action in the System_Admin folder.
See "To Open a File that has a Defined Action" if you are unfamiliar with using trusted actions.
An empty /etc/defaultrouter file appears in the trusted editor.
Enter the name or the IP address of the defaultrouter. If there is more than one, enter them all, one per line, and then save the file.
For example, if the hosts trustworthy and forwardho are routers, enter them, one per line:
trustworthy forwardho |
If your host or site accesses a complex network of gateways, the /etc/tsolgateways file offers more routing options. See the tsolgateways(4) man page for examples.
Double-click the Set TSOL Gateways action in the System_Admin folder.
See "To Open a File that has a Defined Action" if you are unfamiliar with using trusted actions.
An empty /etc/tsolgateways file appears in the trusted editor.
Enter the IP address of the subnet, the name of the gateway and its metric. Repeat for every gateway and save the file.
For example, if the hosts trustworthy and forwardho are gateways:
192.168.15.0 trustworthy 1 192.168.8.0 forwardho 2 |
If the system has an /etc/defaultrouter file and an /etc/tsolgateways file, only the /etc/tsolgateways file is used for routing decisions.
In the root role at the label ADMIN_LOW
, return to the Solaris Management Console or re-open it if it is closed.
# smc |
Click this-host: Scope=Files, Policy=TSOL under Trusted Solaris Management Console in the Navigation pane.
See Figure 9-1 for what tools should display in the Navigation pane .
Display the computers known to this host by clicking Trusted Solaris Configuration, then clicking Computers and Networks.
If toolbox icons display as red stop signs, the toolboxes will not load. To load them, see Step 2 in "Initialize the SMC Server".
Provide a password when prompted., then double-click Computers.
This computer should already be in the database. You should add every host that his system may contact, including static routers (if any), and any audit servers.
Add a host that this computer may contact by choosing Add Computer from the Action menu.
Click Apply to add the host, and click OK when the entries are complete.
The network wildcard 0.0.0.0 may present a security risk. See "Modifying the Boot-time Trusted Network Databases" in Trusted Solaris Administrator's Procedures for more information.
Follow the instructions in the "To Replace the 0.0.0.0 Entry in the Local Tnrhdb File" procedure under "Managing Trusted Networking (Tasks)" in Trusted Solaris Administrator's Procedures.
If you used the Trusted Solaris label_encodings file, you can skip this step.
If this host is going to contact unlabeled hosts, the tnrhtp file must have an appropriate unlabeled template for those unlabeled hosts. See Table 1-3 in "Additional Planning for Open Networks" for host types and their associated templates provided by Trusted Solaris software.
The tnrhtp(4) file installed by the Trusted Solaris installation program contains examples of templates that match the label_encodings(4) file installed during Trusted Solaris installation. If you installed a site-specific label_encodings file, it is highly likely that the existing tnrhtp templates will not work with your file.
In the root role at the label ADMIN_LOW
, double-click Security Families under Computers and Networks in the Solaris Management Console.
The existing templates are displayed in the View pane.
Sites that install a site-specific label_encodings file must create templates that reflect the labels of machines and networks that the Trusted Solaris network can contact.
You should have templates for:
The Trusted Solaris hosts that this machine can contact.
Any unlabeled hosts/networks that this machine can contact..
To create a single-label template to assign to unlabeled hosts, choose Add Template from the Action menu.
Consult the online help as you create the template.
In the Basic Information tab, create a template named unlab_min-user-label, of host type Unlabeled, with an ADMIN_HIGH
clearance and a process label of min-user-label.
The default clearance must dominate the default label. The label ADMIN_HIGH dominates all labels.
Click OK when the template is complete.
Create any other templates your site needs before continuing.
The trusted network remote host database, tnrhdb, enables this host to communicate with remote hosts. The tnrhdb(4) man page describes the format of the entries, and suggests how to minimize the number of entries required.
Assign a remote host template to every host or network that this machine may contact. Include every host in the /etc/hosts file.
See Table 1-3 in "Additional Planning for Open Networks" for host types and their associated templates provided by Trusted Solaris software.
In the root role at the label ADMIN_LOW
, double-click Security Families under Computers and Networks in the Solaris Management Console.
Double-click the Trusted Solaris security family, tsol.
Choose Add Host(s) from the Action menu.
In the Add Host(s) dialog box, click Add Wildcard to assign this template to all hosts on your Trusted Solaris subnet.
Choose Add Host(s) from the Action menu and click Add Host in the Add Host(s) dialog box to enter any exceptions to the subnet template assigment. Click OK to end the entry.
For example, enter 192.168.10.3 and unlab_min-user-label. This host on the subnet is an unlabeled host, an exception to the tsol wildcard entry.
Choose Add Host(s) from the Action menu and click Add Host to enter the IP address of every host in your /etc/defaultrouter or /etc/tsolgateways file, and assign to each an appropriate template name. Click OK to end each entry.
Enter the details of other subnets and hosts.
Enter the wildcard designation of each subnet and choose its appropriate template by choosing Add Host(s) -> Choose Wildcard.
Individually assign a different template to any host that is an exception to its subnet's assigned template by choosing Add Host(s) -> Choose Host.
Use the details provided by your system administrator, then choose the appropriate template name from the menu.
Open a terminal to reload and verify the updated tnrhdb database.
# tnctl -H /etc/security/tsol/tnrhdb # tninfo -h |
Skip this procedure if the security administrator has planned a closed network. For detailed information about DNS, see the Solaris Naming Setup and Configuration Guide.
If your system is going to use DNS, click the Set DNS Servers action in the System_Admin folder and enter the nameservers by IP address, one per line.
The file looks something like:
nameserver nnn.nnn.nnn.nnn nameserver nnn.nnn.nnn.nnn |
The install team creates the administrative roles (other than root) to be used at the site. The team assigns each role its rights profiles. Initial rights profiles are provided on the installation CD-ROM.
The appropriate toolbox scope for creating roles and users in a non-networked environment is this-host: Scope=Files, Policy=TSOL.
In the root role at label ADMIN_LOW
, start the Solaris Management Console if it is not running.
Select the appropriate toolbox.
Click Trusted Solaris Configuration, then click Users.
When prompted, enter the root role password.
Double-click Administrativ... (Administrative Roles).
Choose Add Administrative Role from the Action menu.
The Add Administrative Role wizard enables you to enter all values that are required for a role to work well. Values that you are not prompted to enter receive a default value. If you want to view or modify a role, double-click the role after creating it.
Create the secadmin role to be the security administrator. Use the following table as a guide when creating the role.
The secadmin password, and all passwords, should be one that is not easy to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
For all administrative roles, make the account Always Available, and do not set password expiration dates.
Tab |
Role Field |
(Recommended) Value |
---|---|---|
Role Name |
Role name |
secadmin |
Full Name |
Security Administrator |
|
|
Description |
No proprietary info here. |
|
Role ID Number |
>=100 |
|
Role shell |
Administrator's Bourne (profile shell) |
|
Create a role mailing list |
checked |
Password |
Password and confirm |
Assign a password of at least 6 alphanumeric characters. |
Rights |
Available and Granted |
Rights Security |
Home Directory |
Server |
home directory server |
Path |
/mount_path |
|
Assign Users |
Add and Delete |
This will be automatically filled in when you assign a role to a user. |
After creating the role, select it and double-click it to modify it. Use information from the following table as a guide.
Table 4-2 secadmin Values in Properties/Modify Dialog
Tab |
Role Field |
(Recommended) Value |
---|---|---|
Password |
Set password by Type in or Choose from list |
(Set in Table 4-1.) |
|
Update password by Choose from list or Type in |
|
Group |
Available Groups |
|
Trusted Solaris Attributes |
Minimum Label: Edit |
Default value is correct. |
Clearance: Edit |
Default value is correct. |
|
View: External or Internal |
The default value is External. |
|
Label: Show or Hide |
If your site is a no-label site, choose Hide. |
|
|
Lock account ... |
Default value, No, is correct. |
Audit |
Excluded and Included |
Set flags per site security policy |
Using the preceding tables as a guide, create the following three roles. Give each role a unique ID, and assign to it the correct rights profile, as shown below:
Role Name |
Granted Rights |
---|---|
admin |
System Administrator |
primaryadmin |
Primary Administrator |
oper |
Operator |
You must create the administrative roles before you create the users, since you will assign a role to each user.
The install team in the root role creates users to assume the roles secadmin, admin, and primaryadmin. Where site security policy permits, the team can choose to create one user who can assume more than one administrative role.
Double-click User Accounts in the Solaris Management Console.
Choose Add User -> Use Wizard from the Action menu.
Role and user IDs come from the same pool of IDs. Do not use existing names or IDs for the users you add.
Begin to create a user who can assume the secadmin role and use Table 4-3 to fill out the fields.
The Add User -> Use Wizard dialog boxes create most aspects of a user.
After creating the user, double-click the created user to modify some user properties.
Use Table 4-4 as a guide.
Read the (Recommended) Value columns for guidance.
Parentheses enclose suggestions. Requirements or defaults are not enclosed in parentheses.
When the install team chooses a password, the team must select one that is not easy to guess, thus reducing the chance of an attacker gaining unauthorized access by attempting to guess passwords.
Tab |
User Field |
(Recommended) Value |
---|---|---|
User Name |
User name |
|
Full name |
|
|
Description |
No proprietary info here. |
|
User ID number |
(1001 or higher) |
|
Password |
Set password by Type in or Choose from list |
Assign a password of at least 6 alphanumeric characters. |
|
Confirm | |
Group |
Primary group |
Staff |
Home directory |
Server |
home directory server |
Path |
|
|
|
Server |
|
Path |
|
For the user who can assume the secadmin role, select "Always Available" for "Account Availability" under General, below. Choose an appropriate account availability for other users.
Table 4-4 User Values in Properties/Modify Dialog
Tab |
User Field |
(Recommended) Value |
---|---|---|
General |
Shell |
|
|
Account Availability |
Always Available |
Password |
Set password by Type in or Choose from list |
(Set in Table 4-3.) |
|
Update password by Choose from list or Type in |
|
Group |
Additional Groups |
|
Roles |
Available Roles and Assigned Roles |
secadmin |
Trusted Solaris Attributes |
Minimum Label: Edit |
Default value is correct. |
Clearance: Edit |
Default value is correct. |
|
View: External or Internal |
|
|
|
Label: Show or Hide |
If your site is a no-label site, choose Hide. |
Account Usage |
Idle time |
|
Idle action |
|
|
|
Lock account ... |
No -- for any user who will assume a role. |
Rights |
Available and Granted |
Enable Login ... and see Note below. |
Audit |
Excluded and Included |
Set flags per site security policy |
Although Basic Solaris User does not appear in the Granted column, this right is assigned automatically to a user that is created using the Add User wizard. Do not assign the right explicitly.
Create and modify another user, one who can assume the admin role.
(Optional) Create and modify third and fourth users to assume the primaryadmin and oper roles, and provide them with unique IDs and appropriate Rights.
These first users should each have at least the Enable Login right -- user can enable logins after a system reboot.
After checking your site security policy, you may want to add the Convenient Authorizations right -- user can allocate devices, enable logins, print PostScript files, print without labels, remotely log in, and shut down the system.
Do not create any more users at this time. Setting up users is a two-role, trusted procedure.
See "Managing User Accounts" in Trusted Solaris Administrator's Procedures and "Managing Users and Rights With SMC" in Trusted Solaris Administrator's Procedures for details on setting up users and user files.
In a multilabel environment, users and roles are set up with a useful file, .link_files. See "Managing Initialization Files" in Trusted Solaris Administrator's Procedures for further discussion.
If you have not set up DNS or static routing, you can skip this step.
Shut down the computer from the TP (Trusted Path) menu, and reboot it.
For each role, log in as a user who can assume the role and assume it.
In the role workspace, open the Solaris Management Console, select the Trusted Solaris Management Console with the appropriate scope for your site, and click Users.
Provide the role password when prompted, then double-click User Accounts.
Click a user.
The admin role should be able to modify fields under the tabs General, Home Directory, and Group.
The secadmin role should be able to modify fields under all tabs.
Log in as a user who can assume the primaryadmin role and assume it.
In the role workspace, open the Solaris Management Console, select the Trusted Solaris Management Console with the appropriate scope for your site, and click Users.
Provide the role password when prompted, and double-click Rights.
Creating a new right by choosing Add Right from the Action menu.
Save the new right, then delete it before continuing.
The security administrator is responsible for auditing decisions.
Configure or disable auditing by doing one of the following.
Disable auditing--if site security does not require auditing. To disable auditing in the Trusted Solaris environment, follow the procedures described in Trusted Solaris Audit Administration.
Configure auditing--by following the procedures in Trusted Solaris Audit Administration.
If a directory is being shared before the admin role is created, the install team performs the procedure in the root role.
Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user.
In the admin role, (or root if the admin role does not exist), at label ADMIN_LOW
, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.
Click Storage, and provide a password if prompted.
.
Double-click Mounts and Shares, and then double-click Shares
Choose Add Shared Directory from the Action menu.
Follow the online help to share the directory.
The tool shares the directory and starts the NFS daemons,
To modify the attributes of the shared directory, double-click the Properties tab and use the online help to guide you.
In the Trusted Solaris environment, unlabeled and labeled hosts can be mounted on a Trusted Solaris labeled host.
Do not use proprietary names for mounted file systems. The names of mounted file systems are visible to every user.
In the admin role at label ADMIN_LOW
, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.
Click Storage and provide a password if prompted.
Double-click Mounts and Shares, and then double-click Mounts.
Choose Add NFS Mount from the Action menu.
Follow and answer the prompts to mount the file system.
You are prompted to allow creation of the mount point if it does not exist. The tool adds an entry in the /etc/vfstab file, creates the mount point, and mounts the file system.
When a user is deleted from the system, the administrator must ensure that the user's home directory and any objects owned by that user are also deleted. As an alternative to deleting objects owned by the user, the administrator may change the ownership of these objects to another user who is defined on the system.
The administrator must also ensure that all batch jobs that are associated with the deleted user are also deleted. The administrator must ensure that there are no objects or processes belonging to a deleted user that remain on the system.
If you plan to use the tsolconvert utility, do not delete the install user until you have completed the required conversion steps on a Trusted Solaris 8 or Trusted Solaris 8 4/01 system. See "Saving and Restoring Trusted Solaris Databases" for more information on converting Trusted Solaris 7 to Trusted Solaris 8 4/01 databases.
In the admin role at label ADMIN_LOW
, in the Solaris Management Console, choose the this-host: Scope=Files, Policy=TSOL, and click Users.
Provide a password if prompted, then double-click User Accounts.
The user "install" is defined locally.
Select the user to be deleted and click the Delete button.
For the user install, you do not have mail files to delete. Other local users may have home directories and mail files to delete.
See Trusted Solaris Administrator's Procedures for tasks such as handling mail, setting up printers, and protecting file systems.