Trusted Solaris Installation and Configuration

NIS+ Root Master Configuration Tasks

The first workstation installed on a network has special status. It must be installed interactively from the CDROM, and it must be configured as the NIS+ root master.

Configuring a NIS+ root master involves entering security information, some of which is copied to the clients, and entering details local to the workstation itself.

Other administrative tasks, such as protecting file systems, handling mailing, and setting up printing are covered in Trusted Solaris Administrator's Procedures.

If you are configuring a site that satisfies criteria for an evaluated configuration, please read "Understand Your Site's Security Policy.".

The procedures are not numbered. Depending on your site configuration, some procedures can be omitted.

Log In and Launch a Terminal

Log on to the workstation as the user install.

See "How to Log In" if you have not logged in before.

Assume the role root.

You are in a new workspace named root, designed for the role root. The session label is still ADMIN_LOW, but the role root has many more powers than the user install.

Launch a terminal.

See "To Launch a Terminal" if you are unfamiliar with launching a terminal in Solaris or Trusted Solaris. The terminal contains a profile shell, specific to the role root.

Note -
The Options menu enables you to customize the appearance of the terminal. Customizations for the user "install" are not saved.

Protect the Workstation

Protect the PROM or the BIOS.

See "How to Protect Machine Hardware" if you are unfamiliar with the steps.

Limit network contact during booting.

See the explanation and reference in "How to Limit Contact During Booting".

Check and Install the label_encodings File

The Failed Cross Reference Formatshould be the same on every host in your domain. The Failed Cross Reference Formatis responsible for preparing, checking, and maintaining the label_encodings file.

Skip to "Set Up Routing" if you are not modifying the label_encodings file and you have an open network.
Skip to "Edit the Trusted Network Files" if you are not modifying the label_encodings file and you have a closed network.

Caution -

If you are installing a modified label_encodings file, you must complete this step before continuing or the installation will fail.

You can edit the label_encodings file that the Trusted Solaris installation program installed.

Note -

The default label_encodings file is useful for demos, but it is not a good choice for use by a customer site.

If you do not use the default label_encodings file, check that your label_encodings file works on the NIS+ master before copying the file to every workstation you install.

Install the Label Encodings File

See "How To Install a Site-Specific Label Encodings File" for the full procedure.
1. Run the Check Encodings action from the System_Admin folder to install the modified label_encodings file.
  
  Caution -
  If you are planning to use a modified label_encodings file, you must successfully complete this step before continuing or the installation will fail.
2. Read the new label_encodings file into your environment by clicking the right mouse button on the workspace background and choosing Windows > Restart Workspace Manager.
You will use a copy of the label_encodings file on the NIS+ clients. Setting up the copy is covered in "Copy Configuration Files for Distribution to Clients".

Set Up Routing

Routing is required only if the security administrator has planned for an open network. There are three routing methods available: dynamic routing (the default), and static routing (using a defaultrouter or tsolgateways file).

Note -

If you plan to use dynamic routing, skip this procedure.

For small networks, an /etc/defaultrouter file provides a simple routing method. If your workstation or site accesses a complex network of gateways, the /etc/tsolgateways file offers more control over static routing. See "Routing" in Trusted Solaris Administrator's Procedures and the tsolgateways(4) man page for more information.

Note -

A workstation cannot be its own default router (gateway). A NIS+ master with more than one interface can be a router for its clients, but it cannot be a router for itself.

To Set Up Simple Static Routing

Note -

For static routing, do either this procedure, or "To Set Up Complex Static Routing".

Double-click the Set Default Routes action in the System_Admin folder.

See "To Open a File that has a Defined Action" if you are unfamiliar with using trusted actions.

An empty /etc/defaultrouter file appears in the trusted editor.

Enter the name of the defaultrouter. If there is more than one, enter them all, one per line.

For example, if the workstations trustworthy and forwardho are routers, enter them, one per line:
trustworthy forwardho

Write the file and exit the editor.

Note -
If the workstation has an /etc/defaultrouter file and an /etc/tsolgateways file, only the /etc/tsolgateways file is used for routing decisions.

To Set Up Complex Static Routing

Double-click the Set TSOL Gateways action in the System_Admin folder.

See "To Open a File that has a Defined Action" if you are unfamiliar with using trusted actions.

An empty /etc/tsolgateways file appears in the trusted editor. See the tsolgateways(4) man page for examples of how to format the file.

Enter the IP address of the net, the name of the gateway and its metric. Repeat for every gateway.

For example, if the workstations trustworthy and forwardho are gateways:
129.150.150.0 trustworthy 1 129.150.8.0 forwardho 2

Write the file and exit the editor.

Set Up Additional Network Interfaces

If the workstation has more than one network interface, set them up now.

Note -

Skip this procedure if the workstation has only one network interface.

The security administrator ensures that every interface is protected with a device policy. See "Managing Devices" in Trusted Solaris Administrator's Procedures if you need to add a new hardware device to the device_policy(4) file. The install team ensures that the interfaces are protected before booting the workstation into multiuser mode.

The basic setup of additional network interfaces in Trusted Solaris is identical to their setup in the Solaris environment. For further information on basic setup, see "Configuring TCP/IP on the Network" in TCP/IP and Data Communications Administration Guide in the Solaris 7 System Administrator Collection.

Add the Static Routing Workstations to the Local Hosts Database

Note -

Skip this procedure if the security administrator has planned for dynamic routing or for a closed network.

Open the Hosts database as a local file (using no naming service).

See "To Open and Modify a Solstice_Apps Database" if you are unfamiliar with editing the Hosts database.

The list of known hosts is displayed. The local workstation should already be in the database.

Add the defaultrouter workstation(s) or the tsolgateway workstations as entries to the database.

Exit the Hosts database when the entries are complete.

Edit the Trusted Network Files

The trusted network remote host database (tnrhdb) file enables the workstation to communicate with other hosts. It should include the host type and IP addresses of the workstations on your network and the host type and IP addresses of any other subnets and hosts with which your Trusted Solaris 7 network can communicate. The security administrator determines what networks can contact the Trusted Solaris 7 network; for a list of host types, see Table 1-2. The system administrator collects the IP addresses.

If you plan to mount file systems from unlabeled hosts at a label available to users, or enable communications using services such as ftp, or route through an unlabeled host, do "To Edit the Tnrhtp Database (Example)" first. Otherwise, go to "To Edit the Tnrhdb Database ".

You can change the network details later. For customizing the tnrhdb and its associated templates database, tnrhtp, see "Creating Entries in the Trusted Network Databases" in Trusted Solaris Administrator's Procedures.

To Edit the Tnrhtp Database (Example)

This example adds a new template, unlab_userlabel, to the tnrhtp(4) database. This procedure is a prerequisite to mounting an unlabeled host at a user label, such as Confidential. "Set the Label for Unlabeled File Systems (Example)" completes the setup.

Open the Tnrhtp database in the Database Manager using no naming service.

See "To Open and Modify a Solstice_Apps Database" if you are unfamiliar with the steps.

Choose Edit > Add from the Tnrhtp menu.

In the Template Manager (Add) window, create a new template with the an unlabeled host type named unlab_userlabel, no UID, no GID, no forced privileges, with an admin_high clearance and a CMW label of Admin_Low[low_user_label].
1. Enter unlab_userlabel for the template name.
2. Select Unlabeled from the list of Host Types.
3. Click the Def! button to use the defaults for User ID, Group ID, and Forced Privileges.
  
  The button is to the right of each attribute.
4. Click the Clearance button to set the default clearance to admin_high.
  
  The default Failed Cross Reference Format must dominate the default label. The label admin_high dominates all labels.
  1. In the label builder, click ADMIN_HIGH.
  2. Click OK.
5. Click the Label button to set the default CMW label to [userlabel].
  
  Select a Failed Cross Reference Formatavailable to users. The sensitivity label [ADMIN_LOW] is not available to users.
  1. Click the SL button and click a user sensitivity label, such as Confidential.
  2. Click OK.

Exit the database when the template is complete.

To Edit the Tnrhdb Database

Open the Tnrhdb database in the Database Manager using no naming service.

See "To Open and Modify a Solstice_Apps Database" if you are unfamiliar with the steps.

Use the IP address fallback mechanism to assign one template to all hosts on your Trusted Solaris 7 subnet.
1. Enter the subnet IP address and the template name.
  
  For example, enter 129.150.110.0 and tsol. The final zero signifies a subnet address; all hosts on that subnet are recognized as tsol hosts.
2. For any exceptions on the subnet, enter the exception's IP address and its correct template.
  
  For example, 129.150.110.3 and unlab. This host on the subnet is an unlabeled host, an exception to the tsol fallback entry.

Hint: To more easily copy the IP addresses from your Hosts database, open the /etc/hosts file in the Admin Editor. You can then copy and paste the IP addresses from the editor to the tnrhdb.

Enter the IP address of every host in your /etc/defaultrouter or /etc/tsolgateways file, and assign to each an appropriate template name.

Enter the details of other subnets and hosts.
1. Enter the fallback designation of each subnet and an appropriate template name for the subnet.
2. Individually assign a different template to any host that is an exception to its subnet's assigned template.
  
  Use the details provided by your system administrator, then choose the appropriate template name from the menu. See Table 1-2 for host types and their associated templates provided by Trusted Solaris.

Exit the Tnrhdb database when the entries are complete.

Close the /etc/hosts file if you used it for copying IP addresses.

Summary

The tnrhdb database should have an IP address and template name for:

The NIS+ root master (that is, this host)
Every NIS+ client that will be in the Trusted Solaris 7 domain, or its subnet fallback mechanism nnn.nnn.nnn.0
Every static router (open network only)
Every other workstation with which the domain can communicate, or a fallback address for its subnet (open network only)

Set Up the NIS+ Domain

Setting up the NIS+ root master sets up the NIS+ domain for the Trusted Solaris NIS+ clients. Several NIS+ tables have been created or modified to hold Trusted Solaris data about label configuration, users, roles, execution profiles, and remote hosts.

To Set the Stage

As root, create a staging area for files you plan to use to populate the NIS+ databases.

You can place the staging area wherever you have enough space. Usually a few megabytes is more than enough room to store some files temporarily.
# mkdir -p /setup/files

Copy the sample /etc files into the staging area.

Most of the files you need already exist on the installed system and have enough data in them to get you started. The following files in the /etc directory are usually not found on a newly installed system: bootparams, ethers, netgroup, netmasks, and timezone. You can create these with an editor, load them from a backup diskette, or merely create empty versions of these files, so that the NIS+ tables are created all at once. If you choose not to create these files, you can create them later, but the nispopulate(1M) command may print out a few warning messages.

# cd /etc
# touch bootparams ethers netgroup netmasks timezone
# cp bootparams ethers netgroup netmasks timezone \
aliases auto_home auto_master group hosts networks \
protocols rpc services /setup/files

Three Trusted Solaris files need to be renamed when copied into the staging area. Three others are copied without changing their names.

# cp passwd.roles /setup/files/passwd
# cp shadow.roles /setup/files/shadow
# 
# cd /etc/security/tsol
# 
# cp tsoluser.roles /setup/files/tsoluser
# cp tsolprof tnrhdb tnrhtp /setup/files

Check that all the files are now in your staging area; there are 20.

# cd /setup/files
# ls | wc -l

		WARNING: Command operating outside of the Trusted Path!
	20

Edit the hosts file in your staging area.
1. Change the permissions on the file.
  # chmod u+w /setup/files/hosts
2. Open the Admin Editor and enter /setup/files/hosts for editing.
  
  For more detailed instructions, see "To Create or Open a File from the Trusted Editor".
  
  The file already contains the NIS+ root master (that is, this host's address) and the static routers, if any.
  1. Add every workstation that will be in the Trusted Solaris 7 domain.
    
    There is no fallback mechanism here. The IP address of every workstation to be contacted must be in this file.
    
    Caution -
    Failure to include a workstation will cause client authentication to fail; the NIS+ client will have no credentials.
  2. Add every other workstation with which the domain can communicate.
  3. Write the file and exit the editor.

Modify other files in your staging area as necessary.

Caution -
Do not modify the files: tsolprof, tsoluser, passwd, or shadow. You will modify these using the User Manager and Profile Manager.

There is enough information in your staging area to convert your host to a NIS+ master. However, if you are restoring a former NIS+ domain from files, you may want to merge some of your saved files with those in the staging area at this time.

Caution -
If you choose to edit any files, you must be very careful to provide all of the information necessary in the correct formats before populating the NIS+ tables. Failure to do so can result in the inability to further administer or use the system.

To Set Up NIS+ with Databases from the Staging Area

For fuller descriptions of NIS+ setup and administration, see

Double-click the Create NIS+ server action in the System_Admin folder.

See "To Run a Script from the System_Admin Folder" if you are unfamiliar with using trusted actions.

Enter your NIS+ domain name.

This workstation will be the root master. For example,
Domain Name: aviary.eco.org.
There is a period at the end of the domain name.

Answer the prompts ( y, y, rootpassword).

You can ignore diagnostics printing out that the file /etc/defaultdomain cannot be located. The file will be created.

In the /setup/files directory, make sure that you have added all NIS+ clients to the hosts file.
# cd /setup/files # more hosts

Populate the standard NIS+ databases from the /setup/files directory by running the Populate NIS+ Tables action.

Enter your staging area when prompted.

Populate from which directory? /setup/files

Answer the prompts (y, y).

...
Is this information correct? y
...
Do you want to continue? y

Add the Trusted Solaris roles and system administrators to the NIS+ admin group.
# nisgrpadm -a admin admin secadmin
The first admin is the name of a NIS+ table. The last two arguments are the names of Trusted Solaris administrative roles, admin and secadmin.

Load any additional NIS+ tables you may have backed up.

Procedures vary depending on the format of the backup and on what types of NIS+ tables they are. Refer to the NIS+ and DNS Setup and Configuration Guide for details of how to load your tables.

Set Up DNS

Note -

Skip this procedure if the security administrator has planned a closed network.

For detailed information about DNS, see the Federated Naming Service Guide.

If you are using DNS to contact hosts outside of your domain, you must:

Create a resolv.conf file with the appropriate name servers using the Set DNS Servers action.
1. Enter the string nameserver followed by the IP address of one of your name servers, and repeat for all name servers.
  
  The file looks something like:
  nameserver nnn.nnn.nnn.nnn nameserver nnn.nnn.nnn.nnn
2. Write the file and exit the editor.

Edit the hosts entry in the /etc/nsswitch.conf file to use DNS. The action is Name Service Switch.

Change the hosts entry to:

~
#hosts:      nisplus [NOTFOUND=return] files
#Uncomment the following line, and comment out the above,
#to use both DNS and NIS+.  You must also set up the
#/etc/resolv.conf file for DNS name server lookup.
#See resolv.conf(4).
hosts:      files nisplus dns
~

Write the file and exit the editor.

Reboot the Workstation

Shut down the workstation from the TP (Trusted Path) menu.

If you are unfamiliar with rebooting a Trusted Solaris workstation, see "To Reboot the Workstation".

Update Role Credentials and Passwords

The passwords and credentials of the roles admin, secadmin, and oper must be updated in the new NIS+ domain using the User Manager.

Open the User Manager using the NIS+ naming service.

For a more detailed step through the procedure, see "To Open and Modify a Solstice_Apps Database".

Trusted Solaris administrative roles and their IDs are listed in the window. These were created from the tsoluser file when you ran the nispopulate command in "To Set Up NIS+ with Databases from the Staging Area".

Give each role a new password.

If a detailed procedure would be helpful, see "To Modify the Password for a Role or User Account".

Note -
To ensure that someone can always log in, use the status Always Open for the secadmin role, and for the user who can assume the secadmin role.

Set Up Home Directories

If this workstation is the home directory server, share home directories.

Share home directories on the home directory server.

If you are unfamiliar with how to share file systems, see "How to Share a File System".

If this workstation is not the home directory server, configure the home directory server, reboot it, and mount the home directories, as detailed in "Install and Configure the Home Directory Server Now", before adding users.

Install and Configure the Home Directory Server Now

Go and do:
- "System Installation Step by Step"
- Chapter 6, Configuring a NIS+ Client
- Configure the home directory server up through reboot:
  - "Set Up Home Directories" (on the NIS+ client and NIS+ master)
  - "Reboot the Workstation" (boot the NIS+ client)

Then, create the first three users.

Continue with "Add Users to be Administrators".

Add Users to be Administrators

The install team in the role root creates at least two users, to assume the roles secadmin and admin. It is also useful to create a user who can assume the role root.

Note -

Where site security policy permits, you can choose to create one user who can assume more than one administrative role.

Prerequisite

The home directory server is either

In communication with the NIS+ root master and the home directories are automounting, or
The home directory server is the NIS+ root master.

To Create a User

On the home directory server, log in and assume the role root.

Open the User Manager with the NIS+ Naming Service option.

Caution -
Role and user IDs come from the same pool of IDs. Do not use existing names or IDs for the users you add.

Create a user who can assume the role admin.

See Table 5-1 for the information to enter for a user.

Make sure you enter information in every dialog.

Read the Comments column for guidance.

Parentheses enclose suggestions. Requirements or defaults are not enclosed in parentheses.

Table 5-1 User Account Characteristics


Dialog	Account Characteristic	Comments
Identity	User name
	User ID	(1001 or higher)
	Primary groups	10
	Secondary groups
	Comment	No proprietary info here.
	Login shell
	User Type	Normal
Password	Password	Assign a password of 8 alphanumeric characters.
	Change dates, expiration dates, warnings
	Change by Type in or Choose from list
	Status	Open
	Cred Table Setup	Yes, leave it checked.
Home	Create home directory	Yes. In a multilevel system, a multilevel home directory will be created.
	Home directory pathname	/mount_path/username
	Server	home directory server
	Skeleton path	Yes, use it.
	Default permissions on home directory
	Mail server
	Cred?	Yes, leave it checked.
	AutoHome setup	Yes, when networked; No, when non-networked.
Labels	Clearance	not ADMIN_HIGH
	Minimum Sensitivity Label	not ADMIN_LOW
	Label View
	SL visibility	If your site is a no-label site, choose Hide.
	IL visibility	If your site is a no-label site, choose Hide.
Roles	Can assume role	secadmin
Profiles	Can use profile	Enable Login, All...
Idle	Lockscreen or logout
	Time

Create another user, one who can assume the administrative role secadmin.

Note -
To ensure that someone can always log in, use the status Always Open for the secadmin role, and for the user who can assume the secadmin role.

You may choose to create a third user to assume the role root.

These three users should each have at least the following profiles:
- Enable Login - user can enable logins after a workstation reboot
- All - user can run basic commands, such as ls
After checking your site security policy, you may want to add the profile:
- Convenient Authorizations - user can allocate devices, enable logins, print PostScript files, print without labels, remotely log in, and shut down the workstation

Close the User Manager

Note -

Setting up users is a two-role, trusted procedure. The Failed Cross Reference Formatin the role root should set up only the initial administrators.
In a multilabel environment, users are set up with a useful file, Failed Cross Reference Format, from the Skeleton Path.

See Trusted Solaris User's Guide and "Managing User Accounts" in Trusted Solaris Administrator's Procedures for details on setting up users and user files.

Log Out

Log out by clicking the EXIT button on the Front Panel.

Verify that Users and Administrative Roles Work

Bringing up a user in the User Manager confirms that the administrative roles secadmin and admin are working correctly.

For each role, log in and assume the role.

Open the User Manager and choose the default filter and name service.

Select a user, and press the Return key.
- The role admin should be able to modify fields in the dialog boxes Identity and Home.
- The role secadmin should be able to modify fields in the dialog boxes Password, Labels, Profiles, Roles, and Idle Time.

Do the following to verify that the role root is working correctly.
1. Log in and assume the role.
2. Launch a terminal.
3. Find the command pkgadd(1M) in the list of commands:
  # clist | grep pkgadd /usr/sbin/pkgadd

Log out, and have a user who can assume the role required for the next task log in.

Set Up Auditing

The security administrator is responsible for auditing decisions.

If site security does not require auditing, disable it.

To disable auditing in the Trusted Solaris environment, follow the procedures described in Trusted Solaris Audit Administration.

After disabling auditing, go to the next task you plan to do.

To Configure Auditing

Follow the Trusted Solaris Audit Administration guide to configure auditing at your site.

Who is audited and for what events should be the same on every workstation. Copy any modified audit configuration files from the NIS+ root master to every NIS+ client using the procedure in "Copy Configuration Files for Distribution to Clients".

Set the Label for Unlabeled File Systems (Example)

You can mount file systems from workstations that do not recognize labels by setting the label of the mount point to a single label. The following example of mounting an unlabeled host at a single label depends on your having modified the tnrhtp file as described in "To Edit the Tnrhtp Database (Example)".

Edit the file /etc/security/tsol/vfstab_adjunct using the Set Mount Attributes action in the System_Admin folder.

For details of how to edit the file, see "How to Set the Label on an Unlabeled File System".

For example, the following entry sets the label Confidential ([C]) on an unlabeled file system, /cpublic:
/cpublic; \ slabel=C;

Share File Systems

Enter file systems for others to access using the Share Filesystems action.

If you are unsure of how to share file systems, see "How to Share a File System".

The following is a sample entry in the dfstab file:
```
share -F nfs -o ro,anon=0 -d "Network Tools" /export/tools
```
Caution -
Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user.

Share the file systems.

If you are unsure of the commands, see "How to Share a File System".

Copy Configuration Files for Distribution to Clients

Create a directory that cannot be deleted between reboots.

Create it in an /export subdirectory, such as /export/clientfiles.
# mkdir /export/clientfiles

Copy your modified label_encodings file to the /export... directory.
# cd /etc/security/tsol # cp -p label_encodings /export/clientfiles
Note -
The -p option to the cp(1) command preserves the correct file permissions.

If you modified other files, copy them to the /export... directory.

For example, a site that is using a modified tnrhtp file, DNS, and auditing might copy the following files:

# cd /etc/security
# cp -p audit_control audit_user audit_startup \
/export/clientfiles
#
# cd /etc/security/tsol
# cp -p tnrhtp /export/clientfiles
#
# cd /etc
# cp -p resolv.conf nsswitch.conf /export/clientfiles
# ls /export/clientfiles
audit_control 	audit_user	nsswitch.conf
audit_startup 	label_encodings	resolv.conf      tnrhtp

To Transfer Files for NIS+ Clients to Diskette

Allocate the diskette device.

See "How to Allocate and Deallocate a Device" if you are unfamiliar with the steps. Do not mount the device.
Do you want floppy_n mounted: (y,n)? n

Copy the files to the allocated medium.

For examples of copying files to a portable medium, see "How to Copy Files To and From a Portable Medium".

Deallocate the device and follow the directions in the window.

Delete the User install

The user install is useful for installing and initially configuring a workstation. Where site security demands, the admin role at label admin_low removes the user.

Caution -

Do not remove the user install until you are satisfied that the client workstations can communicate with the NIS+ master.

See "To Delete a Local User" if you have not deleted a local user in the Trusted Solaris system before.