Documentation Home
> Trusted Solaris Administrator's Procedures
Trusted Solaris Administrator's Procedures
Book Information
Preface
Chapter 1 Administering in a Role
Administering Systems in an Administrative Role
Accessing Administration Tools
Administering Remote Systems
Administering as a Role (Tasks)
To Log In and Assume a Role
To Leave an Administrative Role
To Launch the Solaris Management Console
To Launch Local Administrative Actions
To Edit a Local File
To Work at a Different Label
To Enable Any Role to Log In Remotely
To Log In Remotely From the Command Line
To Launch Administrative Actions Remotely
Chapter 2 Administering Security Requirements
Enforcing Security Requirements
Training Users About Security Requirements
Using Email
Enforcing Password Requirements
Changing Root's Password
Protecting Information
Protecting Passwords
Administering Groups
Deleting Users
Changing Number of Allowable Password Tries
Managing the Relabeling of Files
sel_config File Sections
Automatic Confirmation Section
Automatic Reply Section
Extending Authorizations and Privileges
Adding New Authorizations
Adding New Privileges
The priv_names.h File
The priv_name File
Changing CDE Defaults
Customizing the Workspace Menu
Customizing the Front Panel
Changing and Accessing Security Information (Tasks)
To Change the Allowed Number of Password Tries
To Prevent Account Locking for Individuals
To Prevent Account Locking for All User Accounts
SPARC: To Enable Keyboard Shutdown
To Prevent Logins From Being Disabled After a Reboot
To Change Configurable Kernel Switch Settings
To Modify the Selection Configuration File
To Add an Authorization to the Environment
To Add a Privilege to the Environment
To Customize the Workspace Menu
To Get a Hexadecimal Equivalent for a Label
To List a User's Home Directory SLDs and Their Labels
Chapter 3 Managing User Accounts
Setup Before Creating User Accounts
Decisions to Implement Before Creating Users
Decisions to Implement Before Users Log In
Managing Default User Security Attributes
Label Encodings File Defaults
policy.conf File Defaults
Managing Remote Logins
Managing Initialization Files
Controlling the Sourcing of Startup Files
.dtprofile Files
The Sourcing of Startup Files for the Profile Shell User
Controlling Which Startup Files Are Read When a Shell Comes Up
Forcing dtterm to Source $HOME/.login or .profile
Administering Skeleton Directories
Accessing All Man Pages
Using .copy_files and .link_files
Administering cron, at, and batch Jobs
Running a Job with a Profile Shell
Running Privileged Commands in Scheduled Jobs
How the UNIX Domain Socket is Used for Communications
Permitting Users to Access Others' Jobs
Conditions for Access to Other's Jobs
Assigning the SMC to Normal User Accounts
Preparing for User Accounts (Tasks)
To Modify Default User Label Attributes
To Modify policy.conf Defaults
To Set Up Startup Files for Users
To Invoke .login or .profile During Login
To Force dtterm to Launch New Shells as Login Shells
To Customize Shell Initialization Files for Users
To Enable a User to Track Others' Jobs on a System
To Enable a User to Track All Others' Jobs
Chapter 4 Managing Users and Rights With SMC
Before Setting Up User Accounts
Adding or Modifying a User Account
Assigning Passwords to Users
Assigning Rights to Users
Assigning Roles to Users
Assigning Trusted Solaris Attributes to Users
Assigning Audit Classes to Users
Adding or Modifying a Rights Profile
Managing Users and Rights (Tasks)
To List All Rights
To Create a Help File for a Rights Profile
To Create a Rights Profile
To Modify a Rights Profile
To Create a User Template
To Add a User Account
To Modify a User Account
To Assign a Right to a User
To Assign an Authorization to a User
Chapter 5 Managing Roles
Roles and the Trusted Path Attribute
Allowing Remote Logins by Administrative Roles
Creating a New Role
Modifying a Role With the SMC
Customizing Profiles for the Recommended Roles
Enabling Role Assumption from Untrusted Systems
Managing Roles (Tasks)
To Alias vi to adminvi
To Assign the trusted_edit Editor to a Role
To Alias vi to trusted_edit
To List All Roles
To Modify a Role
To Configure a New Role
To Enable a Role to Administer NIS+
To Enable Remote Role Assumption from Untrusted Systems
Chapter 6 Managing Mail
Managing Trusted Solaris Mail Features
.mailrc Is at User's Minimum Label Only
The Solaris Management Console Manages Mail Aliases
Users Cannot Read Email Below Minimum Label
Users Cannot List the Mail Queue
dtmail is the Default Mail Application
Troubleshooting Mail Problems
Tracing Mail Delivery Difficulties
Tracing sendmail's Activities
Debugging sendmail
Managing Mail (Tasks)
To Enable the IMAP Server to Authenticate Users
To Configure Users To Receive Mail Below Their Minimum Labels
To Modify a Mail Alias
To Permit Users to See the Mail Queue
To Troubleshoot Mail Delivery Difficulties
To Trace sendmail for Trusted Solaris Information
To Check Network Connections for Sending Mail
To Troubleshoot Loss of Mail Icons
To Create a Multilevel Action for the Alternate Mail Application
To Substitute an Alternate Mail Application for All Users
To Install an Alternate Mailer in the Front Panel
Chapter 7 Managing Computers and Networks
Managing Trusted Network Communications
SMC Tools for Administering Computers and Networks
Meeting the Goals of Trusted Networking
Understanding Security Attributes Assigned to Computers
Host Types
Computer Accreditation Range
Domain of Interpretation (DOI)
DOIs in Trusted Solaris IPv4 Packets
DOIs in Trusted Solaris IPv6 Packets
Default Label
Default Clearance
Forced Privileges
Allowed Privileges
Advanced Security Attributes
Using IP Labels in Trusted Routing
Default Templates
Default Templates for Trusted Solaris Systems
Default Templates for Unlabeled or RIPSO Computers
Wildcard Entry and Prefix Length
CIPSO Labels in Packets
Ensuring Labels Are Mappable to CIPSO Labels
RIPSO Labels in Packets
Understanding Security Attributes Assigned to Network Interfaces
Network Interface Accreditation Range
Default Security Attributes
Accreditation Checks
MAC Enforcement on Outgoing Messages
MAC Checks on Messages Being Forwarded
MAC Enforcement on Incoming Messages
Administering Routing
Background on Routing
Choosing Routers
Specifying the SRI
Emetric
Routing Table
Extended RIP
Determining Dynamic or Static Routing
Enabling a Single-Label Gateway to Forward Packets at Multiple Labels
Chapter 8 Specifying Routing and Security for Remote Computers
Assigning Security Attributes to Remote Hosts and Network Gateways
Setting Up Templates
Storing Network Information
Modifying the Boot-Time Tnrhdb File
Setting Up Tunneling
Managing Trusted Networking (Tasks)
To Open the Security Families Tool
To Construct Templates for Hosts
To Assign Templates to Hosts
To Create a Wildcard Entry for Remote Hosts
To Change the tnd Polling Interval
To Replace the 0.0.0.0 Entry in the Local Tnrhdb File
Example -- Changing the Label of the 0.0.0.0 Tnrhdb Entry
To Configure a Network Interface
To Set Up Static Routes with Emetrics
To Set Up Tunneling
Chapter 9 Managing Files and File Systems
Requirements Unique to Trusted Solaris File Systems
Specifying Security Attributes on Files and File Systems
Security Attributes on Files and Directories
Specifying Security Attributes on Files and Directories
Changing Labels and Privileges
Changing File and Directory Attribute Flags
Security Attributes on File Systems
The Label Attribute
Specifying Security Attributes on Variable File Systems
Specifying Security Attributes on Fixed File Systems
Mounting File Systems in the Trusted Solaris Environment
Mount Options Used for Protection
Summary of Attributes on Various File System Types
Trusted Solaris Attribute Precedence Rules
Trusted Solaris Software and NFS
Sharing Directories
Troubleshooting Mount Failures
Managing Files and File Systems (Tasks)
To Back Up Files
To Restore Files
To Change Labels and Privileges With the File Manager
To Set Security Attributes While Creating a Local File System
To Set Security Attributes on a File System
To Specify Mount-time Security Attributes on the Command Line
To Specify Mount-time Security Attributes in the vfstab_adjunct File
To Share a Directory
To Mount a TMPFS File System Using the Command Line
To Mount a CD-ROM with a HSFS File System
To Automatically Launch a CD Player for an Audio CD-ROM
To Listen to an Audio CD as any User or Role
To Troubleshoot Mount Failures
Chapter 10 Managing Name Services
Managing Multiple Trusted Solaris Computers in a Security Domain
Managing Standalone Trusted Solaris Computers
Enabling the root Role or a New Role to Administer a Name Server
Trusted Solaris NIS Maps and NIS+ Tables
Managing Name Services (Tasks)
To Enable Domain Administration from a Client
To Save and Restore NIS Maps
To Save and Restore NIS+ Tables
To Use NIS and NIS+ Administrative Actions
Chapter 11 Managing Printing
Requirements Unique to Trusted Solaris Printers
Configuring Printers in a Trusted Solaris Environment
Allowing the Printing of PostScript Files
Adding Support for Additional File Types
Setting Up Printers That do not Support Security Features
Managing Network Printers
Controlling Whether Security Information is Printed on Print Jobs
Print Job Information on Banner and Trailer Pages
Permitting Safe Jobs to Be Printed Without Labeled Pages
Managing Printing (Tasks)
To Set Up Printing to a Non-Trusted Solaris Server
To Launch the Printer Administrator Action
To Configure an Attached Printer
To Configure a Network Printer for Labeled Output
To Configure a Restricted Label Range for a Printer
To Add Access to a Remote Printer
To Enable Some Users to Print Without Banners and Trailer Pages
To Assign Printing-Related Authorization(s) to an Account
To Suppress the Printing of Page Labels on All Print Jobs
To Allow Some Users to Print Jobs Without Page Labels
To Set Up Public Print Jobs from an Unlabeled Print Server
Chapter 12 Managing Devices
Controlling Access to Devices
Setting a Label Range
Managing Device Access Policies
Initial Device Configuration Decisions
Managing Devices
Making a Device Available
Using the Device Allocation Manager
Configuring a Device
Handling of Allocated Devices at Boot
Authorizing Device Allocation
Enforcing Device Security
Recovering From the Allocate Error State
Using Device-Clean Scripts
Device-Clean Script for Tape Devices
Device-Clean Scripts for Floppy Disks and CD-ROM
Device-Clean Script for Audio
Writing New Device-Clean Scripts
Mounting an Allocated CD-ROM Device
Mounting an Allocated Floppy Device
Device-related Commands, Databases, and Files
Ancillary Files for Allocatable Devices
Managing Devices (Tasks)
To Save Files With Security Attributes to a Tape
To Set or Modify Device Policy for a Device
To Revoke or Reclaim a Device
To Play an Audio CD
To Add a Device
To Add Site-Specific Authorizations to a Device
To Configure a Serial Line for Logins
To Assign Device Authorizations to an Account
To Prevent File Manager Display After Device Allocation
To Change or Add a Device Clean Script
Chapter 13 Adding Software
Types of Software
Administrator Role Responsibilities
Security Administrator Role Responsibilities
Privilege Enabling Mechanisms
System Shell
Profile Shells
Trusted Processes in the Window System
Trusted Libraries
Assigning Privileges
Giving Forced Privileges to an Executable File
Assigning Inheritable Privileges to a Command or Action
Passing Privileges to Child Processes
Passing Privileges to Another Program
Not Passing Forced Privileges via Shell Scripts
Creating and Using Shell Scripts
Summary of Shell Script Behavior in the Trusted Solaris Environment
Using Profile Shell Scripts
Profile Shells for Normal Users
Profile Shells for Administrative Roles
Editing Executables With Inheritable Privileges
Testing New Software for Security
Evaluating a Program for Security
Considering When to Add Privilege
Running a Program As Root
Cooperating to Create a Trusted Program
Developer's Responsibilities
Security Administrator Role`s Responsibilities
Adding Trusted Actions
Finding Which Privileges a Program Needs
Making Libraries Trusted
Adding Boot Commands
Adding Commands to the inittab File
Adding Commands to /etc/init.d Scripts
Adding Services to the inet Daemon
Managing Software (Tasks)
To Mount a CD-ROM for Adding a Package
To Give Forced Privileges to a Command
To Create a New File Edit Action
To Add Actions Outside of the System_Admin Folder
To Make New Actions Available to the Rights Tool
To Write a Profile Shell Script
To Write a Standard Shell Script that Runs Privileged Commands
To Save and Restore Privileges When Editing a File
To Find Out Which Privileges a Program Needs
To Make a Library Directory Trusted
To Add Commands to the /etc/inittab File
To Run rc Scripts With Security Attributes
To Add Services to the inetd.conf File
To Install a Java Jar File
Index
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
R
S
T
U
V
W
X
© 2010, Oracle Corporation and/or its affiliates