test

Trusted Solaris Installation and Configuration

Chapter 7 Installing a Trusted Solaris System Over a Network

When installing Trusted Solaris software over a network, the system administrator uses the Solaris 8 Advanced Installation Guide in conjunction with the Trusted Solaris exceptions and additions described in this chapter.

Due to the security features in the Trusted Solaris environment, Trusted Solaris software modifies some of the procedures used for network installation, JumpStart installation, and Custom JumpStart installation. Also, the Trusted Solaris security and system administrators must enable access to commands on the installation CD-ROM or its image.

Setting Up Network Installation

For an overall view of the differences between Trusted Solaris and Solaris installation, see "Trusted Solaris Modifications to Network Installation". See the "Preparing to Install Solaris Software Over the Network" in Solaris 8 Advanced Installation Guide for the installation procedures themselves.

Steps 

Where Described 

1. Copy installation CDs to hard disk. 

"Give Mounted Media All Allowed Privileges"

"Allocate the CD-ROM Device"

"Modify Permissions of Mount Point Parent"

"Load Trusted Solaris Images from CDs"

2. Share the install directory. 

"Share the Network Install Directory"

3. Add client information and reboot. 

"Add Client Information to the Install Server"

4. Boot the client machine. 

"Boot Over the Network or with Custom Files"

5. Configure it. 

"Client Configuration Tasks"

Give Mounted Media All Allowed Privileges

Users in administrative roles copy the Trusted Solaris CD-ROMs to a server's hard disk. The secadmin role gives all allowed privileges to the CD-ROM device and modifies profiles where necessary. The admin role allocates the device, changes the permissions on the parent of the mount point, and copies the software to the install server.

  1. Log in as a user who can assume the secadmin role and assume it.

  2. Open the Admin Editor from the System_Admin folder and type /etc/rmmount.conf in the file name field.

  3. Assign all allowed privileges to mounted removable media in the /etc/rmmount.conf file, as in:


    mount * hsfs udfs ufs -o nosuid allowed=all

  4. Write the file with :wq! and exit the editor.

Allocate the CD-ROM Device

  1. Log in as a user who can assume the admin role and assume it.

  2. In the admin role at label ADMIN_LOW, open the Device Allocation Manager, allocate the CD-ROM drive and mount it.

    After the CD-ROM has been mounted, a File Manager pops up showing the mount point of the CD-ROM.

  3. If a File Manager does not appear, bring one up from the Front Panel and navigate to the CD-ROM mount point.

    For Trusted Solaris software, the mount point should be one of:

    • /cdrom/admin-cdrom_0/trusted_sol_8_sparc

    • /cdrom/admin-cdrom_0/trusted_sol_8_ia

  4. In the File Manager, highlight /cdrom/admin-cdrom_0, the parent of the mount point.

  5. From the Selected menu, choose Properties.

    Note that the directory, named CD-ROM_FOLDER, has mode 700, so it is not searchable. The following procedure will fix that.

Modify Permissions of Mount Point Parent

  1. In the File Manager, click the Show Access Control List button, then Add ...

  2. Highlight the Mask entry and click Change.

  3. Change the Mask to Read and Execute, and click Change.

  4. Click Add..., and enter root in the User field, giving it Read and Execute.

  5. Click Add, then click OK to exit the dialog.

  6. Leave the File Manager up, available for the installation setup commands.

Load Trusted Solaris Images from CDs

  1. In the File Manager, open the Tools folder, from one of the following:

    • /cdrom/admin-cdrom_0/trusted_sol_8_sparc/Trusted_Solaris_8/Tools

    • /cdrom/admin-cdrom_0/trusted_sol_8_ia/Trusted_Solaris_8/Tools

  2. From the File menu select Open Terminal.

  3. Still in the admin role, transfer the files from the first CD to the install server by typing


    $ ./setup_install_server /export/install/ts8_{sparc,ia}

    Note -

    Do not double-click on this tool because the command must be started in a profile shell, not the shell defined in the File Manager.

    By default, the Software Installation profile contains the exact pathname for this command. The secadmin role must modify this profile if a different mount point is used. To modify a profile, see "Modifying a Role's Rights".

    Example 7-1 Admin Role Verifying that a Command is Available

    If the commands add_install_client and rm_install_client are in the admin role's profile, the profiles(1) command should display something like the following for a disk image:


    $ profiles -l | grep install_client
/export/install/ts8_sparc/add_install_client: 
  4,5,6,10,11,12,17,30,32,33,35,36,39,52,55,57,61,68,69
/export/install/ts8_sparc/rm_install_client:
  4,5,6,10,11,12,17,30,32,33,35,36,39,52,55,57,61,68,69

  4. When the pound sign (#) prompt displays, deallocate the CD.

  5. Insert the second CD, allocate it and mount it.

  6. For the second CD, still in the admin role, repeat Step 4 through Step 6 of the procedure "Modify Permissions of Mount Point Parent".

  7. In the File Manager, open the Tools folder on the second CD, one of the following:

    • /cdrom/admin-cdrom_0/trusted_sol_8_sparc/Solaris_8/Tools

    • /cdrom/admin-cdrom_0/trusted_sol_8_ia/Solaris_8/Tools

  8. From the File menu select Open Terminal.

  9. Transfer the files from the second CD to the install server by typing


    $ ./add_to_install_server /export/install/ts8_{sparc,ia}

    Note -

    Do not double-click on this tool because the command must be started in a profile shell, not the shell defined in the File Manager.

  10. Deallocate the second CD and remove it.

Share the Network Install Directory

To complete network installation setup requires a user in the admin role. Follow the instructions for Solaris network installation setup, using the following procedures when needed.

  1. In the admin role at ADMIN_LOW, start the Solaris Management Console.


    $ smc &

  2. Select the this-host: Scope=Files, Policy=TSOL toolbox.

  3. Navigate to the Mounts and Shares tool in the Solaris Management Console to share the network install directory for the Trusted Solaris image.

    If you are unsure of the steps, see "(Optional) Share File Systems".

  4. Double-click the Properties tab to modify the properties of the shared file system.

  5. Enter ro, anon=0, and "netinstall dir" for the network install directory, for example, for /export/ts8_sparc_install.

Add Client Information to the Install Server

To modify or create files in the /etc directory, use the Admin Editor from the System_Admin folder to give the file the correct security attributes.

See "To Create or Open a File from the Trusted Editor" for how to create or modify a file using the Admin Editor.

  1. To create an empty ethers file, in the admin role at ADMIN_LOW, invoke the Admin Editor.

  2. Enter the full path to the file, /etc/ethers.

  3. Once the editor is open, type :wq to save the empty file.

  4. In a terminal, change the file permissions to 644.


    $ chmod 644 /etc/ethers

  5. Run the Name Service Switch action from the System_Admin folder.

  6. Change the ethers, netmasks, and bootparams entries in the file to read as follows: 

    ethers: files name-service dns
netmasks: files name-service dns
bootparams: files name-service dns

    The variable name-service is one of nis or nisplus.

  7. In the role admin at ADMIN_LOW, run the add_install_client command to add client information to the OS server.

    See the add_install_client(1M) for details.

  8. Reboot the install server before attempting to install clients over the network.

Trusted Solaris Modifications to Network Installation

Trusted Solaris software modifies network installation commands and procedures that require greater security. For example, the Volume Manager adds a mounting-user directory when mounting devices in the Trusted Solaris environment.

Table 7-1 Trusted Solaris Differences in Network Installation

Solaris Software  

Trusted Solaris Software 

You can log in as root. 

There is no superuser. You log in as a user who can assume the root role, or as a user who can assume the admin or secadmin role, depending on the task. Then, assume the role to perform the task. 

Processes and files do not have a label. 

All processes and files are labeled. Commands and actions are run at a particular label. Most administrative tasks are run at the label ADMIN_LOW.

Administrators can often use a command line interface, even if a corresponding GUI equivalent exists. 

Many administrative commands are run from a GUI, which calls checking and synchronizing functions. 

Administrators can run an administrative command from a CD-ROM or diskette. 

Commands that are on a diskette or CD-ROM, or are accessible from an NFS mount, may need to be added to the admin role's profile before they can be run. 

Allows you to use a CD-ROM or diskette without allocating it. 

Requires you to allocate a peripheral device at a particular label before its use. Before removing the medium, you must deallocate it. 

Modifications to Network Installation Commands

The following commands and actions are used when installing Solaris software or Trusted Solaris software over a network, and their use is modified in the Trusted Solaris environment. The following listing describes the additional procedures or security requirements. Commands that do not require a change in procedure are not listed. See the "Preparing to Install Solaris Software Over the Network" in Solaris 8 Advanced Installation Guide for the installation procedures themselves.

Table 7-2 Modified Network Commands

Network Command or GUI 

Trusted Solaris Modification in its Use 

setup_install_server(1M)

add_install_client(1M)

add_to_install_server(1M)

rm_install_client(1M)

You must be in the admin role, at label ADMIN_LOW, in a terminal where the command is in a profile assigned to the admin role.

If the admin role does not have this /pathname/*install* command in its assigned profiles, the secadmin role, at label ADMIN_LOW, must add it to the Custom Admin Role profile.

For the procedure, see "Modifying a Role's Rights".

mount(1M)

The admin role, at label ADMIN_LOW, runs this command.

If you are mounting a CD-ROM or diskette on an installed system, the admin role must allocate the device at a particular label, usually ADMIN_LOW. When the medium is removed, the device must be deallocated.

Setting Up Custom JumpStart Installation

In the Trusted Solaris environment, Custom JumpStart procedures are handled by administrative roles. For an explanation of Custom JumpStart, see "Preparing Custom JumpStart Installations" in Solaris 8 Advanced Installation Guide. Trusted Solaris software modifies Custom JumpStart procedures as it does other installations, with device allocation and task allocation by role. Note that the Trusted Solaris environment does not support mounting remote file systems during installation.

Note -

Factory-installed JumpStart may not be supported by Trusted Solaris software.

Create a JumpStart Diskette

This procedure is done by the admin role at label ADMIN_LOW.

  1. In the admin role at label ADMIN_LOW, allocate the floppy drive.

    See "Allocate the Appropriate Device" if you are unsure of the steps.

  2. Format the JumpStart diskette by running the fdformat command.

  3. Create a file system on the diskette by running the newfs command.

  4. Create a a mount point on the diskette by running the mkdir command.

  5. Run the mount command.

    Example 7-2 Mount a UFS Filesystem on a Diskette

    To create a UFS file system on a diskette to be used for Custom JumpStart, as admin at ADMIN_LOW: 


    $ mkdir /ts8_jumpstart
$ mount -F ufs /dev/diskette /ts8_jumpstart

  6. Run the cp command to copy the JumpStart sample directory to the diskette.

  7. Share the directory.

    For details of the procedure, see "(Optional) Share File Systems".

  8. Use the -c option to the add_install_client command to add JumpStart details to the install server's local bootparams database.

  9. When you are finished with the JumpStart diskette, deallocate the drive and remove the diskette.

    See "Deallocate the Device" if you are unsure of the steps.

Edit a JumpStart Profile

  1. When following the procedures in "Creating a Profile" in Solaris 8 Advanced Installation Guide, assume the admin role at label ADMIN_LOW, and use the Admin Editor action to edit a JumpStart profile.

    For how to use the Admin Editor, see "To Create or Open a File from the Trusted Editor".

    The upgrade keyword is not fully supported in the Trusted Solaris 8 4/01 installation program. If you want to upgrade Trusted Solaris 8 systems, this keyword should work.

Use pfinstall to Test a Profile

Use this procedure to modify the procedures in "Testing a Profile" in Solaris 8 Advanced Installation Guide and "pfinstall" in Solaris 8 Advanced Installation Guide.

In the Trusted Solaris environment, testing profiles is handled by the admin role, and modifying rights profiles is handled by the secadmin role.

  1. On an installed and configured Trusted Solaris system, log in as a user who can assume the admin role.

  2. As admin at label ADMIN_LOW, launch a terminal and see that the pfinstall(1M) command is available in the role's profile shell.


    $ profiles -l | grep pfinstall

    The name profile shell refers to a shell that recognizes rights profiles. It does not refer to the machine profiles being tested here.

  3. If the command is not in the profile, the secadmin role must add it to the admin role's rights, and then the admin role launches a new terminal in which to run the command.

    See "Modifying a Role's Rights" for how to add the pfinstall command to the admin role's rights profile.

Edit a Rules File

  1. When following the procedures in "Creating the rules File" in Solaris 8 Advanced Installation Guide, assume the admin role at label ADMIN_LOW, and edit the rules file with the Admin Editor action.

  2. To use a Trusted Solaris-specific value for the version keyword:

    For the installed option, the version keyword.

    version - A version name, such as Trusted_Solaris_8, or the special word any. If any is used, any Trusted Solaris or SunOS release is matched.

    For the osname option, the version keyword.

    version -- A version of Trusted Solaris the Trusted Solaris environment installed on the system: for example, Trusted Solaris 7.

Validate a Rules File

  1. In the admin role at label ADMIN_LOW, run the check script.

Copy a Rules File

  1. In the admin role at label ADMIN_LOW, copy the file.

Modifying Optional Custom JumpStart Procedures

Use the Trusted Solaris information that follows to modify the procedures in "Using Optional Custom JumpStart Features" in Solaris 8 Advanced Installation Guide.

Create Begin and Finish Scripts

Use this information to modify the procedures in "Creating Begin Scripts" in Solaris 8 Advanced Installation Guide and "Creating Finish Scripts" in Solaris 8 Advanced Installation Guide.

  1. In the admin role at label ADMIN_LOW, create and modify scripts using the Admin Editor action.

  2. Make sure that the scripts invoke a profile shell, such as pfsh or pfksh.

    See the pfexec(1) man page.

Trusted Solaris Script Examples

The following procedures expand on and modify procedures in "To Add Files With a Finish Script" in Solaris 8 Advanced Installation Guide.

Reboot the Computer with a Finish Script

  1. The first line in the script must invoke a profile shell.


    #!/bin/pfsh
...

  2. The last line in the finish script reboots the computer.


    #!/bin/pfsh

...
/usr/sbin/reboot

Add label_encodings File with a Finish Script

  1. In the admin role at label ADMIN_HIGH, place a copy of the site's label_encodings file into the JumpStart directory on the diskette. 


    $ cp /etc/security/tsol/label_encodings  ${SI_CONFIG_DIR}/label_encodings

  2. Copy the label_encodings file onto the system during installtion.

    For example, if you are using a custom JumpStart diskette to install Trusted Solaris software, the following finish script copies the file from the JumpStart directory into a system's /etc/security/tsol directory during a custom JumpStart installation:


    #!/bin/pfsh
cp ${SI_CONFIG_DIR}/label_encodings  /a/etc/security/tsol

Set the Root Password With a Finish Script
Note -

This example modifies the procedures in "Setting the System's Root Password With a Finish Script" in Solaris 8 Advanced Installation Guide.

    In the admin role at label ADMIN_LOW, set the variable PASSWD to an encrypted root password obtained from an existing entry in a system's /etc/shadow file.

Caution - Caution -

If you set your root password by using a finish script, be sure to safeguard against those who will try to discover the root password from the encrypted password in the finish script.

Modifications to Creating a Disk Configuration File

In the Trusted Solaris environment, configuration files are handled by the admin role. Use the following information to modify the procedures in "Creating Disk Configuration Files" in Solaris 8 Advanced Installation Guide.The Intel architecture procedure also modifies "fdisk" in Solaris 8 Advanced Installation Guide.

SPARC: To Create a SPARC Disk Configuration File

  1. Log on as a user who can assume the admin role.

  2. In the admin role at label ADMIN_LOW, launch a terminal and determine the device name for the system's disk.

  3. Redirect the output of prtvtoc to create the disk configuration file: 


    $ prtvtoc /dev/rdsk/device_name > disk_config
IA: To Create an Intel Disk Configuration File

  1. As admin at label ADMIN_LOW, redirect the output of the following prtvtoc command to a file.


    $ prtvtoc /dev/rdsk/device_name > file1

  2. Save the output of the following fdisk command to a file.


    $ fdisk -R -d -n /dev/rdsk/device_name 2>file2

  3. Concatenate the two files to create a disk configuration file.


    $ cat file1 file2 > disk_config

  4. Copy the disk configuration file to the JumpStart directory: :


    $ cp disk_config   jumpstart_dir_path

Modifying a Solaris JumpStart Example

Use the Trusted Solaris information that follows to modify the example in "Example of Setting Up and Installing Solaris Software With Custom JumpStart" in Solaris 8 Advanced Installation Guide.

In the Trusted Solaris environment, the Solaris JumpStart marketing and engineering example requires a user to assume the admin role.

In the Trusted Solaris operating environment:

Set up the engineering systems for installation

On the install server, the admin role at the label ADMIN_LOW uses the add_install_client(1M) command:


$ cd /export/install
$ ./add_install_client -c server_1:/jumpstart host_eng1 sun4u
$ ./add_install_client -c server_1:/jumpstart host_eng2 sun4u
	.

Set up the marketing systems for installation

An administrator in the admin role at label ADMIN_LOW then uses the setup_install_server(1M) command that copies the boot software from the CD to the marketing server.


$ cd /cdrom/admin-cdrom_0/s0/Trusted_Solaris_8/Tools
$ ./setup_install_server -b /marketing/boot-dir sun4c

At label ADMIN_LOW, the admin role uses the add_install_client command on the marketing group's boot server.


$ cd /marketing/boot-dir
$ ./add_install_client -s server_1:/export/install \
-c server_1:/jumpstart host_mkt1 sun4c
$ ./add_install_client -s server_1:/export/install \
 -c server_1:/jumpstart host_mkt2 sun4c	...