This chapter describes Trusted Solaris exceptions to Solaris installation procedures and recommendations. It also describes Trusted Solaris requirements that are optional in the Solaris environment. For example, an evaluated configuration must collect auditing records. The partitions for those audit records are created during installation.
If you are planning to use data from Trusted Solaris 7 or Trusted Solaris 2.5.1 databases on your new Trusted Solaris 8 system, do not start installing. First, on a Trusted Solaris 7 or Trusted Solaris 2.5.1 system, create the Trusted Solaris 8 versions of tsolprof (exec_attr and prof_attr) and tsoluser (user-attr). Read and follow the procedures in the FAQ on the Trusted Solaris website, http://www.sun.com/software/solaris/trustedsolaris/ts_tech_faq.
Trusted Solaris software is designed to be installed and configured by two people with distinct responsibilities. However, the installation program does not enforce two-role task division. Task division is enforced by users who can assume Trusted Solaris roles. Since roles and users are not created until after installation, we recommend that an install team of at least two persons be present during the installation of a workstation.
During Trusted Solaris 8 installation, the team should:
Partition the disks with security in mind: name the partitions thoughtfully, so as not to disclose security information, and provide space for audit records.
A root password is required. Enter a root password when prompted.
In the Trusted Solaris environment, upgrade is not supported nor is patch analysis. Trusted Solaris software supports fewer locales than does Solaris 8 software.
-- Create at least one audit partition named /etc/security/audit/workstation_name.
-- Provide at least 256 MB of memory. Provide swap space.
-- Create sufficient swap space. Swap space that is double the size of the workstation's memory is a good rule of thumb.
-- Create an /export/home partition large enough for the users' home directories.
-- Create a small /export partition to hold some temporary configuration files. It also serves as a mount point.
For basic information on installation, see the Solaris 8 Start Here booklet and the platform-specific books described in "Installation Guides".
Trusted Solaris systems are shut down differently from Solaris systems.
Shut Down the workstation from the TP menu.
If the screen displays the > prompt, enter n and press Return to display the ok prompt.
On a SPARC, if the PROM is protected, enter login and when prompted, the root password.
See your hardware manual, such as the Solaris 8 Sun Hardware Platform Guide for full instructions. The following are examples.
Installing the first two systems requires using the 2 Trusted Solaris 8 installation CDs. The following are examples of booting from a CD on a SPARC and on an Intel machine.
Insert the first of two (2) Trusted Solaris 8 Installation CDs and type the boot command.
For example, on a SPARC system:
boot cdrom |
See the following example for the Intel Architecture boot procedure.
OPTION 1: Enable the system to boot from a CD by using the system's BIOS setup tool.
OPTION 2: Insert the provided floppy, then insert the first CD.
Follow the directions in the platform-specific book described in "Installation Guides", keeping in mind that Solaris Web Start ard upgrade are not supported, and that you are using Trusted Solaris CDs, not Solaris CDs.
After you type the boot command, the workstation goes through a booting phase where hardware and system components are checked. The following screen provides an example of what you see.
Type b (boot), c (continue), or n (new command mode) >n Type help for more information ok boot cdrom Rebooting with command: boot cdrom Boot device: /sbus/espdma@e, 8400000/esp@e, 8800000/sd@6, 0:f File and args: NOTICE: 64-bit OS installed, but the 32-bit OS is the default for the processor(s) on the system. See boot(1M) for more information. Booting the 32-bit OS ... SunOS Release 5.8 Version Trusted_Solaris_8 32-bit Copyright 1983-2000, Sun Microsystems, Inc. All rights reserved. Configuring /dev and /devices Using RPC Bootparams for network configuration information. Configured interface le0 Starting OpenWindows... |
The booting phase will last for a few minutes. Then a Welcome to Trusted Solaris screen briefly appears, then the screen turns blue-gray and a Solaris Install Console is displayed in the upper left corner. Messages display in the Install Console during installation.
The Trusted Solaris installation program is running.
If you are installing from CD-ROM, the program guides you step by step through installing Trusted Solaris software. Online help is also available.
Use "Root NIS+ Master Installation Program Example" for guidance in answering the questions the first time that you install. In particular, note the following:
When asked whether to use DHCP (Dynamic Host Configuration Protocol), choose No.
When installing the name service master, choose None when asked for the name service. The name service domain is configured after installing the first workstation.
For screenshots of the installation program questions, see "Using the Solaris 8 Interactive Installation Program" in Solaris 8 Advanced Installation Guide.
Users must not disclose their passwords to another person, as that person may then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing her/his password to another person, or indirect, for example, through writing it down, or choosing an insecure password. Trusted Solaris provides protection against insecure passwords, but cannot prevent a user disclosing her/his password or writing it down.
A Trusted Solaris system must have a root password in order for the root role to work. The root role is required for successful configuration.
If you manually reboot your system, type:
# halt ok boot disk |
Choose a root password by answering the password prompts.
Root password: rootpassword Re-enter your root password: rootpassword |
Do not forget the root password. The software cannot be configured without it.
The second CD installs packages only; it does not contain installation questions.
The prompts are misleading. The installation program asks for Solaris 8 CD-ROM #2. You should insert Trusted Solaris 8 CD-ROM #2.
Insert the second Trusted Solaris 8 installation CD.
Upon insertion, the CD prints out that it is a Solaris 8 CD-ROM. If you inserted a CD-ROM with the Trusted Solaris 8 Installation CD label, you inserted the correct CD.
The screen may display overwriting for the second CD. However, the packages are installing.
Answer yes to installing the software.
Package installation is displayed in 25% increments: |-1%---25%---50%---75%---100%
Enter 1 or 2 when prompted.
Remove the CD and press Return.
Before reboot, the install log is in the file /tmp/install_log. After reboot, the install log is in the file /var/sadm/system/logs/install_log.
Look for successful installation of packages.
Finish system setup by configuring the system. A Trusted Solaris system must be configured correctly after installation.
To configure the system, follow the instructions in the appropriate chapter, as shown in the task map in Table 2-4.
Errors you encounter during installation are described and debugged in the Troubleshooting section of the Solaris 8 Installation Collection (see http://docs.sun.com/ab2/coll.241.7).
The admin role is in charge of installing over a network. The secadmin role is called upon to modify or set up files or profiles to enable the admin role to complete software installation.
Prerequisite: The network and/or custom files are correctly set up. See the Solaris 8 Advanced Installation Guide, 806-0957-10, which describes network installations. The same procedures apply to Trusted Solaris network installations, with the Trusted Solaris security protections described in Chapter 9, Installing Trusted Solaris Over a Network.
Boot using the appropriate boot command on the system being installed.
boot net |
boot net - install |
A space is required between the minus sign and install.
Answer any prompts that appear.
If you have correctly set up a network installation, you will be prompted for information after system identification is completed.
If you have correctly set up a custom JumpStart installation, you are not prompted for information. If you are using a name service, you must set up the clients after JumpStart has completed.
For pointers to administration books, see "Configuration Guides" and "Other Books".
Check that all Trusted Solaris configuration tasks are complete.
For an overview of individual workstation configuration tasks, see Chapter 8, Configuring a NIS or NIS+ Client.