test

Trusted Solaris Administrator's Procedures

Managing Devices (Tasks)

To Save Files With Security Attributes to a Tape

This procedure can be done by any user or role that has the tar command in a profile.

  1. Use the Device Allocation Manager to allocate a tape device.

    The example allocates a device named mag_tape_0. See the Trusted Solaris User's Guide for more about how to allocate devices and specify the label at which the device is allocated.

  2. Make sure the tape is physically labeled with the label of the current process, and insert the tape into the tape device when prompted.

    The window in the example is titled Device Allocation for mag_tape0 window. 


    st_clean: Insert tape into mag_tape0
 
st_clean: Make sure the tape is labeled CONFIDENTIAL
 
Press RETURN to quit window...

  3. Enter the tar command with the -T security option.


    trusted% tar cvT tartest
a tartest/(A) 1K
a tartest/ 0K
a tartest/file1(A) 1K
a tartest/file1 0K
a tartest/mld1/(A) 1K
a tartest/mld1/ 0K
a tartest/mld1/(A) 1K
a tartest/mld1/ 0K
a tartest/mld1/file50(A) 1K
a tartest/mld1/file50 1K
. . .

  4. Use the Device Allocation Manager to deallocate the device.

    Eject the tape from the device when prompted.


    Please eject the tape in mag_tape_0

  5. Make sure to protect the exported information at the security level on the media's physical label.

To Set or Modify Device Policy for a Device

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Determine the driver_name and minor_name and the device special file names for the device.

  3. For an existing device, find the device name and minor name by doing a long listing of the device.


    # ls -l /dev/dsk/c0t6d0s2
 
lrwxrwxrwx    1  root    root   51 Feb 29 1998  /dev/dsk/c0t6d0s2
-> ../../devices/sbus@1f,0/SUNW,fas@e,8800000/sd@6,0:c

    In the final element of the pathname, the string before the @ character is the driver name (sd in the example above) and the string after the colon is the minor name, (c in the example above).

  4. For a new device, do the following.

    1. Consult the hardware documentation for the device to obtain the device name and minor name and a list of all the physical device names.

      See also, Writing Device Drivers.

    2. Create a new entry for the device in the /etc/security/device_maps file.

      The name used for the device is arbitrary. In the third field, list all the physical device names for the device.The example shows all the physical and logical device names for the cdrom_0 device.


      cdrom_0:\
sr:\
 /dev/sr0 /dev/rsr0 /dev/dsk/c0t6d0s0 /dev/dsk/c0t6d0s1
 /dev/dsk/c0t6d0s2 /dev/dsk/c0t6d0s3 /dev/dsk/c0t6d0s4
 /dev/dsk/c0t6d0s5 /dev/dsk/c0t6d0s6 /dev/dsk/c0t6d0s7 
 /dev/rdsk/c0t6d0s0 /dev/rdsk/c0t6d0s1 /dev/rdsk/c0t6d0s2
 /dev/rdsk/c0t6d0s3 /dev/rdsk/c0t6d0s4 /dev/rdsk/c0t6d0s5
 /dev/rdsk/c0t6d0s6 /dev/rdsk/c0t6d0s7:\

  5. Use the Admin Editor action to open the /etc/security/tsol/device_policy file for editing.

  6. When the default policy for devices is not consistent with your site's security policy, create a specific entry or a wildcard entry for a new device or modify an existing entry for an already-specified device.

    The default device policy is as shown in Table 12-1. For how to specify alternate policy settings, see the device_policy(4) man page.

  7. Write the file and exit the editor.

To Revoke or Reclaim a Device

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Click the Device Allocation icon on the Tools subpanel.

  3. Click the Device Administration button.

  4. Check the status of a device by highlighting the name of the device and looking at the State: field.

  5. If the State field is Allocate Error State, click the Reclaim button to correct the error state.

  6. If a device is State is Allocated, do one of the following:

    • Contact the Owner to deallocate the device.

    • If the State field is Allocated, click the Revoke button to force deallocation of the device.

  7. Click OK.

To Play an Audio CD

The following procedure automatically launches a CD player. The user must have allocated both the audio and CD-ROM devices.

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Open the Admin Editor from the System_Admin folder in the Application Manager to edit the /etc/rmmount.conf file.

  3. Add your site's CD player program to the cdrom action in the file.

    For example, at a site where workman CD program is installed, the following entry in rmmount.conf automatically executes /usr/local/bin/workman and launches the workman action. 


    action cdrom action_workman.so /usr/local/bin/workman

To Add a Device

Follow the instructions in the Installing Device Drivers guide for the Solaris environment, if needed, then do the following Trusted Solaris-specific steps.

  1. If adding a new allocatable device, the System Administrator should create a device_clean script, if needed.

    A tape drive can use the default st_clean script as is, or the script can be modified to suit the site's security policy. Otherwise, a new device_clean script is needed. See "To Change or Add a Device Clean Script" for the procedure.

  2. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  3. Click the Device Allocation icon on the Tools subpanel.

  4. Click Device Administration, then click New....

  5. Enter the Device Name and Device Type.

  6. In the Device Map field, enter the pathnames for all the device special files associated with the device. Separate the pathnames with spaces.

  7. (Optional) Set the label range on the device to be other than ADMIN_LOW to ADMIN_HIGH, by clicking the Min Label... and button and Max Label... buttons.

  8. For Allocations From Trusted Path, choose an option from the Allocatable By: list:


    Authorized Users
No Users
All Users
Same as Trusted Path
    Note -

    When configuring a printer, frame buffer, or other device that should not be allocatable, make sure to select No Users.

    Same As Trusted Path applies only when Non-Trusted Path is selected.

  9. When you choose Allocatable by Authorized Users, the Authorizations field becomes active, and the solaris.device.allocation authorization name displays.

    If you have created site-specific device authorizations, enter them. See "To Add Site-Specific Authorizations to a Device" for the procedure.

  10. Click Non-Trusted Path and click whether it should be treated the same as the Trusted Path.

  11. If you choose Allocatable by Authorized Users, click the Authorizations... button to require site-specific authorizations to allocate the device from outside the trusted path.

    If you have created site-specific device authorizations, enter them. See "To Add Site-Specific Authorizations to a Device" for the procedure.

  12. Specify the Deallocation Options for the device when it is allocated locally through the trusted path.

  13. Click OK to save your changes.

To Add Site-Specific Authorizations to a Device

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace or log in as a user who can assume a role with the Configure Device Attributes authorization.

  2. Click the Device Allocation icon on the Tools subpanel.

  3. Click Device Administration, select the device to allocate, and click Configure....

  4. For Allocations From Trusted Path, choose Authorized Users.

    When you choose Allocatable by Authorized Users, the Authorizations field becomes active, and the solaris.device.allocation authorization name displays.

  5. If you have created site-specific device authorizations, click the Authorizations... button, and select the authorizations that the user must have to allocate the device.

  6. Click Non-Trusted Path and click whether it should be treated the same as the Trusted Path.

    Same As Trusted Path applies only when Non-Trusted Path is selected.

  7. If you choose Allocatable by Authorized Users, click the Authorizations... button to add site-specific authorizations to allocate the device from outside the trusted path.

  8. Click OK to save your changes.

To Configure a Serial Line for Logins

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Bring up a SMC toolbox with the Files scope.

    Figure 12-2 Solaris Management Console Tools

    Graphic

  3. Select Devices and Hardware, provide a password when prompted, and then double-click Serial Ports.

    Follow the online help for how to configure the serial port.

  4. Click the Device Allocation icon on the Tools subpanel on the Front Panel.

    The device's default label range is ADMIN_LOW to ADMIN_HIGH.

  5. To restrict the label range, click the Device Administration button, and then click New.

    1. Enter /dev/term[a|b] for the Device Name.

    2. Enter tty for the Device Type.

    3. Enter /bin/true for the Clean Program.

    4. Enter /dev/term[a|b] again for the Device Map.

    5. Change the minimum and maximum labels if desired.

    6. Choose No Users under Allocatable By.

    7. Leave the Deallocation Options unset.

  6. Click OK to save your changes.

To Assign Device Authorizations to an Account

  1. Assume the Security Administrator role, launch the Solaris Management Console in the appropriate scope, and click Users. Provide a password when prompted.

  2. Double-click the User Accounts tool, and click the Rights tab.

  3. Assign to the user a rights profile that contains the Allocate Device authorization.

    If the defaults have not been modified, assign the rights profile Convenient Authorizations or All Authorizations.

  4. To assign a rights profile to a role account, double-click the Administrative Roles tool, and double-click the role to be modified.

    1. If the role should be able to allocate devices, choose a profile from the following table.

      Table 12-6 Default Profiles that Include Device Allocation Authorization

      Authorization Name 

      Default Profiles 

      Allocate Device 

      All Authorizations 
       

      Convenient Authorizations 
       

      Device Management 
       

      Media Backup 
       

      Media Restore 
       

      Object Label Management 
       

      Software Installation 
       

      SSP Installation 

    2. If the role should be able to revoke or reclaim devices, choose one of the following profiles.

      Table 12-7 Default Profiles for Administering Devices

      Name 

      Default Profile 

      Default Role 

      Revoke or Reclaim Devices 

      Device Management 

      secadmin 

      All Authorizations 

      Not assigned 

    3. If the role should be able to create or configure devices, choose one of the following profiles.

      Table 12-8 Default Profiles for Creating Devices

      Name 

      Default Profile 

      Default Role 

      Configure Device Attributes 

      Device Security 

      secadmin 

      Host Alternate Pathing 

      secadmin 

      All Authorizations 

      Not assigned 

    If none of the default profiles are appropriate for the account being reconfigured, the Security Administrator role can create a new profile that includes the device allocation authorization(s), either by themselves or along with any other commands needed by the profile's users to perform the desired work (such as the allocate, deallocate, and tar commands). Creating a new profile is described in "Adding or Modifying a Rights Profile".

To Prevent File Manager Display After Device Allocation

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Use the Admin Editor action to open the file /etc/rmmount.conf for editing.

  3. Comment out the action for notifying the File Manager for the CD-ROM or floppy or both.

    The example shows the action_filemgr.so commented out for both the cdrom and floppy devices.


    # action cdrom action_filemgr.so
# action floppy action_filemgr.so

To Change or Add a Device Clean Script

For background, see "Using Device-Clean Scripts".

  1. Assume the System Administrator role and go to an ADMIN_LOW workspace.

  2. Use the Admin Editor to open a text file.

  3. Write the script so that all usable data is purged from the physical device and that it returns 0 for success.

  4. For devices with removable media, have the script attempt to eject the media if the user does not do so, and put the device into the allocate error state if the media is not ejected.

  5. Copy the ADMIN_LOW script into /etc/security/lib.

  6. Open the Device Allocation Manager from the Tools subpanel, and click the Device Administration button.

  7. Highlight the name of the affected device and click the Configure... button.

  8. Enter the name of the script in the Clean Program field.

  9. Click OK until the Device Allocation Manager closes.