The following task map describes procedures to protect devices at your site.
Task |
Description |
For Instructions |
---|---|---|
Set or modify device policy. |
Changes the privileges that are required to access a device. |
Configuring Device Policy (Task Map) in System Administration Guide: Security Services |
Authorize users to allocate a device. |
The Security Administrator role assigns a profile with the Allocate Device authorization to the user. |
How to Authorize Users to Allocate a Device in System Administration Guide: Security Services |
The Security Administrator role assigns a profile with the site-specific authorizations to the user. |
Customizing Device Authorizations in Trusted Extensions (Task Map) |
|
Configure a device. |
Chooses security features to protect the device. | |
Revoke or reclaim a device. |
Uses the Device Manager to make a device available for use. | |
Uses Solaris commands to make a device available or unavailable for use. |
Forcibly Allocating a Device in System Administration Guide: Security Services Forcibly Deallocating a Device in System Administration Guide: Security Services |
|
Prevent access to an allocatable device. |
Provides fine–grained access control to a device. | |
Denies everyone access to an allocatable device. | ||
Protect printers and frame buffers. |
Ensures that nonallocatable devices are not allocatable. | |
Configure serial login devices. |
Enables logins by serial port. | |
Use a new device-clean script. |
Places a new script in the appropriate places. |
By default, an allocatable device has a label range from ADMIN_LOW to ADMIN_HIGH and must be allocated for use. Also, users must be authorized to allocate the device. These defaults can be changed.
You must be in the Security Administrator role in the global zone.
From the Trusted Path menu, select Allocate Device.
The Device Manager appears.
View the default security settings.
Click Device Administration, then highlight the device. The following figure shows a CD-ROM drive with default security settings.
(Optional) Restrict the label range on the device.
Set the minimum label.
Click the Min Label... button. Choose a minimum label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.
Set the maximum label.
Click the Max Label... button. Choose a maximum label from the label builder.
Specify if the device can be allocated locally.
In the Device Configuration dialog box, under For Allocations From Trusted Path, select an option from the Allocatable By list. By default, the Authorized Users option is checked. Therefore, the device is allocatable and users must be authorized.
Specify if the device can be allocated remotely.
In the For Allocations From Non-Trusted Path section, select an option from the Allocatable By list. By default, the Same As Trusted Path option is checked.
If the device is allocatable, and your site has created new device authorizations, select the appropriate authorization.
The following dialog box shows the solaris.device.allocate authorization is required to allocate the cdrom0 device.
To create and use site-specific device authorizations, see Customizing Device Authorizations in Trusted Extensions (Task Map).
To save your changes, click OK.
If a device is not listed in the Device Manager, it might already be allocated or it might be in an allocate error state. The system administrator can recover the device for use.
You must be in the System Administrator role in the global zone. This role includes the solaris.device.revoke authorization.
From the Trusted Path menu, select Allocate Device.
In the following figure, the audio device is already allocated to a user.
Click the Device Administration button.
Check the status of a device.
Select the device name and check the State field.
Close the Device Manager.
The No Users option in the Allocatable By section of the Device Configuration dialog box is used most often for the frame buffer and printer, which do not have to be allocated to be used.
You must be in the Security Administrator role in the global zone.
From the Trusted Path menu, select Allocate Device.
In the Device Manager, click the Device Administration button.
Select the new printer or frame buffer.
To make the device nonallocatable, click No Users.
(Optional) Restrict the label range on the device.
Set the minimum label.
Click the Min Label... button. Choose a minimum label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.
Set the maximum label.
Click the Max Label... button. Choose a maximum label from the label builder.
The No Users option in the Allocatable By section prevents remote users from hearing conversations around a remote system.
The security administrator configures the audio device in the Device Manager as follows:
Device Name: audio For Allocations From: Trusted Path Allocatable By: Authorized Users Authorizations: solaris.device.allocate |
Device Name: audio For Allocations From: Non-Trusted Pathh Allocatable By: No Users |
You must be in the Security Administrator role in the global zone.
Open the Solaris Management Console in the Files scope.
Under Devices and Hardware, navigate to Serial Ports.
Provide a password when prompted. Follow the online help to configure the serial port.
To change the default label range, open the Device Manager.
The default label range is ADMIN_LOW to ADMIN_HIGH.
After creating a serial login device, the security administrator restricts the label range of the serial port to a single label, Public. The administrator sets the following values in the Device Administration dialog boxes.
Device Name: /dev/term/[a|b] Device Type: tty Clean Program: /bin/true Device Map: /dev/term/[a|b] Minimum Label: Public Maximum Label: Public Allocatable By: No Users |
If no device_clean script is specified at the time a device is created, the default script, /bin/true, is used.
Have ready a script that purges all usable data from the physical device and that returns 0 for success. For devices with removable media, the script attempts to eject the media if the user does not do so. The script puts the device into the allocate error state if the medium is not ejected. For details about the requirements, see the device_clean(5) man page.
You must be in the System Administrator role in the global zone.