Chapter 4 Configuring a Workstation without the NIS+ Name Service

This chapter covers how to configure a workstation to use no name service.

Installation and configuration commands and actions are limited to particular roles and particular labels. Read each task for the administrative role that can perform it, and the label required.

Who Does What

Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the workstation, the software enforces two-role task division. If two-person installation is not a site security requirement, you can assign the two administrative roles, secadmin and admin, to one person.

Non-Networked Configuration Tasks

A non-networked workstation or a networked workstation that does not use a name service is configured much like a NIS+ root master, except that /etc files are used for administration rather than NIS+ tables.

Other setup tasks, such as protecting file systems, handling mail, and setting up printing are covered in Trusted Solaris Administrator's Procedures.

If you are configuring the workstation to satisfy criteria for an evaluated configuration, please read "Understand Your Site's Security Policy."

Depending on how you set up the workstation, some procedures can be omitted.

• "Log In and Assume the root Role"

• "Protect the Workstation"

• "Check and Install the label_encodings File "

• "Set Up Network Files"

• "Add Administrative Roles to Three /etc Files"

• "Reboot the Workstation"

• "Update Role Passwords"

• "Add Users to Administer the System"

• "Verify That Users and Administrative Roles Work"

• "Mount Unlabeled File Systems"

• "Share File Systems"

• "Delete the User install"

Log In and Assume the root Role

Log in as the user install and assume the root role.

See "To Log In as the User Install" if you are unfamiliar with the steps.

Protect the Workstation

1. Protect the PROM or the BIOS.

   See "How to Protect Machine Hardware" if you are unfamiliar with the steps.

2. Limit contact with other workstations when booting.

   See the explanation and reference in "How to Limit Contact During Booting".

Check and Install the label_encodings File

If you are not installing a site-specific label_encodings file, and:

• If you are not going to access any other workstation, skip this step and go to "Add Administrative Roles to Three /etc Files".

• If you are going to access a network without using the NIS+ name service, skip this step and go to "Set Up Network Files".

Your label_encodings file must be compatible with any Trusted Solaris host with which you are communicating.

If you are installing a site-specific label_encodings file, the file must conform to requirements detailed in Trusted Solaris Label Administration. Read on.

Install the Label Encodings File

1. See "How To Install a Site-Specific Label Encodings File" for the full procedure.

   1. Run the Check Encodings action from the System_Admin folder to install the modified label_encodings file.

      ---

      Caution -

      If you are planning to use a modified label_encodings file, you must successfully complete this step before continuing or the installation will fail.

      ---

   2. Read the new label_encodings file into your environment by clicking the right mouse button on the workspace background and choosing Windows > Restart Workspace Manager.

Set Up Network Files

Perform these tasks only if the security administrator has planned for an open network, and you plan to access other workstations without using a name service.

If you are going to use static routing, set it up.

Follow the procedure in "Set Up Routing".

If you are using static routing, open the Database Manager and add the static router(s) to the local Hosts database.

See the detailed list of steps in "Add the Static Routing Workstations to the Local Hosts Database".

If your workstation is going to use DNS, click the Set DNS Servers action and enter the nameservers.

For a detailed list of steps, see "Set Up DNS". Do not edit the nsswitch.conf file.

Using the Database Manager, enter the details of every workstation that this workstation may contact in the tnrhdb(4) database. Include the static routers, and any file servers whose file systems you plan to mount.

See "To Open and Modify a Solstice_Apps Database" if you are unfamiliar with accessing the tnrhdb database. A more detailed explanation of the steps is in "To Edit the Tnrhdb Database ".

Configure any secondary network interfaces.

Follow the steps in "How to Add Network Interfaces" if you are unfamiliar with setting up network interfaces.

Add Administrative Roles to Three /etc Files

When you operate locally, the Trusted Solaris administrative roles must have their names and passwords in the appropriate /etc files. There are three files to modify: passwd, shadow, and tsoluser.

1. Save the original files by copying them to *.orig.

   # cd /etc # cp -p passwd passwd.orig # cp -p shadow shadow.orig # # cd /etc/security/tsol # # cp -p tsoluser tsoluser.orig

2. Add the contents of each *.roles file to its corresponding /etc file.

   1. Using the Admin Editor, open the file /etc/passwd and go to the end of the file.

   2. Read in the file /etc/passwd.roles (the Admin Editor command is :r filename).

   3. Write and exit the file /etc/passwd.

      The passwd file now contains its original text and the text of the file passwd.roles.

   4. To verify, grep for the role secadmin in a profile shell.

      # cd /etc # grep secadmin passwd secadmin:x:101:14:Security Admin:/etc/security/tsol/home/secadmin:/usr/bin/pfsh

   5. Repeat the above steps for /etc/shadow and shadow.roles, and for /etc/security/tsol/tsoluser and tsoluser.roles. To write out an edited shadow file, you must use the Admin Editor command :wq!, since the file is write-protected.

      ---

      Caution -

      The Trusted Solaris roles must be in the local passwd, shadow, and tsoluser files for the Trusted Solaris environment to work. Do not (further) edit the files tsolprof, tsoluser, passwd, or shadow. After booting, you will modify these using the Solstice_Apps tools, User Manager and Profile Manager.

      ---

3. Modify other /etc files as necessary.

Reboot the Workstation

This step is required only if you have set up network files.

Shut down the workstation from the TP (Trusted Path) menu.

For a detailed procedure, see "To Reboot the Workstation".

Update Role Passwords

1. If you rebooted, log in as the user install and assume the role root.

2. Open the User Manager from Solstice_Apps using None for the Naming Service, and give passwords to the roles secadmin, admin, and oper.

   Follow the steps in "To Modify the Password for a Role or User Account" if you are unsure of how to set passwords.

   ---

   Note -

   To ensure that the workstation can always be administered, use the status Always Open for every administrative role, and do not set password expiration dates for any administrative role.

   ---

3. Leave the User Manager open.

Add Users to Administer the System

1. Add users who will assume administrative roles. Follow the outline provided in Table 5-1.

   See "To Open and Modify a Solstice_Apps Database" if you are unfamiliar with the User Manager.

   ---

   Note -

   To ensure that someone can always log in, use the status Always Open for the user who can assume the secadmin role.

   ---

2. Exit the User Manager when at least the users who can assume the roles secadmin and admin have been created.

3. Log out by clicking the EXIT icon on the Front Panel.

Verify That Users and Administrative Roles Work

Log in as a user, assume an administrative role, and test it for effectiveness.

Follow the procedure in "Verify that Users and Administrative Roles Work" to ensure that every role is working.

Mount Unlabeled File Systems

Perform this task only if the security administrator has planned for an open network, and you plan to access a file server without using a name service.

1. Set a label for an unlabeled file system.

   Read the explanation and follow the procedure in "Set the Label for Unlabeled File Systems (Example)" if you are unsure of the steps.

2. Mount the file system.

   If you are unfamiliar with the steps, see "How to Mount a File System".

Share File Systems

Perform this task only if others are permitted to access directories on this workstation.

Share the file systems that other workstations may access.

Follow the procedure in "How to Share a File System" if you are unfamiliar with sharing file systems.

Delete the User install

The user install is useful for installing and initially configuring a workstation. Where site security demands, remove the user.

Use the User Manager to delete the user install.

See "To Delete a Local User" if you are unfamiliar with deleting users.