test

Trusted Solaris Installation and Configuration

Finishing Up Configuration

Set Up Auditing

The security administrator is responsible for auditing decisions.

    Configure or disable auditing by doing one of the following two procedures.

    Disable auditing--if site security does not require auditing. To disable auditing in the Trusted Solaris environment, follow the procedures described in Trusted Solaris Audit Administration.

    Configure auditing--by following the procedures in Trusted Solaris Audit Administration. Every Trusted Solaris system should audit users and events identically.

Copy Configuration Files for Distribution to Clients

  1. As root at label ADMIN_LOW, create a directory that cannot be deleted between reboots.


    # mkdir /export/clientfiles

  2. Copy modified files to the /export/clientfiles directory.

    For example, most sites will want to copy the /var/sadm/smc/toolboxes/tsol_smc/tsol_smc.tbx and the /var/sadm/smc/toolboxes/tsol_nameservice/tsol_nameservice.tbx files to the client machines. A site that is using a modified tnrhtp file, DNS, and auditing might copy the files /etc/security/audit_control, /etc/security/audit_startup, /etc/security/tsol/tnrhtp, /etc/resolv.conf, and /etc/nsswitch.conf.

  3. Allocate a diskette at ADMIN_LOW, and transfer the files to it.

    Physically affix a label to the diskette that marks it as containing ADMIN_LOW information.

  4. Use this diskette, and your label_encodings diskette, labeled ADMIN_HIGH, when configuring your clients.

(Optional) Share File Systems

If a directory is being shared before the admin role is created, the install team performs the procedure in the root role.

Caution - Caution -

Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user.

  1. In the admin role, (or root if the admin role does not exist), at label ADMIN_LOW, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.

  2. Click Storage, and provide a password if prompted.

    .

  3. Double-click Mounts and Shares, and then double-click Shares

  4. Choose Add Shared Directory from the Action menu.

  5. Follow the online help to share the directory.

    The tool shares the directory and starts the NFS daemons,

  6. To modify the attributes of the shared directory, double-click the Properties tab and use the online help to guide you.

(Optional) Mount File Systems

In the Trusted Solaris environment, unlabeled and labeled hosts can be mounted on a Trusted Solaris labeled host.

Caution - Caution -

Do not use proprietary names for mounted file systems. The names of mounted file systems are visible to every user.

  1. In the admin role at label ADMIN_LOW, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.

  2. Click Storage and provide a password if prompted.

  3. Double-click Mounts and Shares, and then double-click Mounts.

  4. Choose Add NFS Mount from the Action menu.

  5. Follow and answer the prompts to mount the file system.

    You are prompted to allow creation of the mount point if it does not exist. The tool adds an entry in the /etc/vfstab file, creates the mount point, and mounts the file system.

(Optional) Delete the User install
Caution - Caution -

Do not remove the user install until you are satisfied that the client systems can communicate with the name service master.

When a user is deleted from the system, the administrator must ensure that the user's home directory and any objects owned by that user are also deleted. As an alternative to deleting objects owned by the user, the administrator may change the ownership of these objects to another user who is defined on the system.

The administrator must also ensure that all batch jobs that are associated with the deleted user are also deleted. The administrator must ensure that there are no objects or processes belonging to a deleted user that remain on the system.

Note -

If you plan to use the tsolconvert utility, do not delete the install user until you have completed the required conversion steps on a Trusted Solaris 8 or Trusted Solaris 8 4/01 system. See "Saving and Restoring Trusted Solaris Databases" for more information on converting Trusted Solaris 7 to Trusted Solaris 8 4/01 databases.

  1. In the admin role at label ADMIN_LOW, in the Solaris Management Console, choose the this-host: Scope=Files, Policy=TSOL, and click Users.

  2. Provide a password if prompted, then double-click User Accounts.

    The user "install" is defined locally.

  3. Select the user to be deleted and click the Delete button.

    For the user install, you do not have mail files to delete. Other local users may have home directories and mail files to delete.

Other Setup

    See Trusted Solaris Administrator's Procedures for tasks such as handling mail, setting up printers, and protecting file systems.