Trusted Solaris Administrator's Procedures

Previous: Chapter 13 Adding Software


A

	access
		administrator responsibilities ( )
		to devices ( )
		to printers ( )

	access policy, devices ( )

	accounts
		assigning labels ( )
		assigning passwords ( )
		assigning rights ( )
		assigning roles ( )
		assigning shells ( )
		deletion precautions ( )
		planning ( )
		security precautions ( )
		startup files ( ) ( )

	accreditation checks ( ) ( )

	actions
		adding new ( ) ( )
		adding outside the System_Admin folder ( )
		restricted by account profiles ( )
		using ( )

	add_allocatable command ( )

	Add to NIS+ Administrative Group action ( ) ( ) ( )

	Admin Editor, using ( )

	ADMIN_LOW label
		installing software ( )
		mail ( )
		protecting administrative files ( )
		role workspace ( )

	administrative actions
		Add to NIS+ Administrative Group ( ) ( ) ( )
		adding ( )
		Admin Editor ( )
		available in Rights tool ( )
		creating ( ) ( ) ( )
		in System_Admin folder ( )
		launching remotely ( )
		Name Service Switch ( )
		name services ( )
		Set Mail Options ( )
		trusted ( )
		using ( )

	administrative roles
		adding a name service client ( )
		administering NIS+ ( )
		administering remotely ( )
		assuming ( ) ( )
		changing workspace label ( )
		described ( )
		exiting ( )
		launching the Printer Administrator ( )
		logging in remotely ( )
		remote role assumption ( )
		saving and restoring name service databases ( )
		workspaces ( )

	Administrative Roles tool, using ( )

	administrative tools, See Solaris Management Console ( )

	adminvi command, aliasing vi ( )

	allocate command, described ( )

	allocate error state
		caused by failure of eject ( )
		defined ( )
		procedure for correcting ( )

	Application Manager, as trusted process ( )

	applications
		assigning forced privileges ( )
		evaluating for security ( )

	at.allow file ( )

	at command, administrative differences ( )

	at jobs, running privileged commands ( )

	atohexlabel command ( )

	atq command ( )

	atrm command ( )

	attr_mac_policy ( )

	audio coprocessor ( )

	`AUDIO_DRAIN` ioctl, run by device_clean ( )

	`AUDIO_SETINFO` ioctl, resetting device to default ( )

	`AUDIOGETREG` ioctl, run by device_clean ( )

	auth_name file ( )

	authorizations
		adding ( )
		adding to software ( )
		Allocate Device ( ) ( ) ( )
		device-related ( )
		device-related procedures ( )
		Edit Owned Jobs ( ) ( )
		for device administration ( )
		for devices ( )
		Manage All Jobs ( ) ( )


B

	banner pages, printing without ( )

	batch command ( )

	boot rights profile ( )


C

	cachefs filesystem type ( )

	CD-ROM, mounting ( )

	CD-ROM devices
		accessing ( )
		device_clean script ( )
		launching audio program ( )
		mounting ( )

	CIPSO, use in packets ( )

	commands
		giving forced privileges ( )
		privileges ( )
		trusted ( )

	commercial applications, evaluating ( )

	.copy_files file
		example ( )
		setting up for users ( )
		using ( )

	cron.allow file ( )

	cron command ( )

	cron.deny file ( )

	cron jobs, running privileged commands ( )

	crontab command ( )

	cut and paste, configuring selection transfer rules ( )


D

	DAC
		device files ( )
		policy for devices ( )

	deallocate command ( )

	default shells, assigning to accounts ( )

	/dev/kmem kernel image file, security violation ( )

	developers responsibilities ( )

	device_allocate file ( )

	Device Allocation Manager
		administering devices ( )
		allocating and administering devices ( )
		allocating devices ( )

	device_clean command ( )

	device_clean scripts
		for tape devices ( )
		modifying ( )
		procedure for adding devices ( )
		review ( )

	device_maps file ( )

	device policy, setting ( )

	device_policy file ( )

	device special files, access policy ( )

	devices
		access policy ( ) ( )
		accessing ( )
		adding ( )
		adding device_clean script ( )
		adding site-specific authorizations ( )
		administering ( ) ( )
		authorizations ( )
		configuring serial line ( )
		modifying policy ( )
		non-allocatable
			setting the label range ( )
		policy defaults ( )
		reclaiming ( )
		setting policy ( )
		setting up audio ( )

	directories
		changing flags ( )
		changing labels and privileges ( )
		security attributes ( ) ( )
		sharing ( )
		upgraded ( )

	dminfo command, reporting entry in the device_maps ( )

	dtsession command, running updatehome ( )

	dtterm terminal
		forcing the sourcing of .profile ( ) ( )

	dtwm command ( )


E

	Edit Owned Jobs authorization ( ) ( )

	editing privileged executables ( )

	email
		managing ( ) ( )
		options ( )
		switching mail tools ( ) ( )
		troubleshooting ( )

	emetric, described ( )

	emetrics, using in routing ( )

	/etc/cron.d/CRON, cron lock file ( )

	/etc/cron.d/cron.admin file, creating ( )

	/etc/default/login file, specifying RETRIES ( )

	/etc/init.d directory, RMTMPFILES script ( )

	/etc/init.d scripts, Trusted Solaris modifications ( )

	/etc/nologin file, disabling logins ( )

	/etc/skel directory ( )

	exec system call, inheriting privileges across ( )

	executable files
		assigning forced privileges ( )
		editing while preserving privileges ( )

	exporting software ( )


F

	failsafe session, recovering from startup file errors ( )

	fallback mechanism, creating ( )

	FDFS, mounting ( )

	file_mac_write privilege, resulting in a file's dominating its directory's SL ( )

	File Manager
		as trusted process ( )
		changing security attributes ( )
		Privileges dialog box ( )

	file systems
		cachefs type ( )
		changing security attributes using mount ( )
		changing security attributes using newsecfs ( )
		changing security attributes using setfsattr command ( )
		changing security attributes using vfstab file ( )
		fdfs type ( )
		hsfs type ( )
		lofs type ( )
		managing ( )
		nfs type ( )
		pcfs type ( )
		security attributes ( ) ( )
		sharing ( )
		single label ( )
		table of supported types, examples, notes ( )
		tmpfs type ( )

	file_upgrade_sl privilege, resulting in upgraded names ( )

	files
		backing up ( )
		changing flags ( )
		changing labels ( )
		changing privileges ( )
		managing ( )
		procedure for changing labels and privileges ( )
		restoring ( )
		upgraded ( )

	floppy disk devices
		accessing ( )
		device_clean script ( )

	forced privileges, assigning ( )

	fork system call, inheriting privileges across ( )

	Front Panel
		as trusted process ( )
		Device Allocation Manager ( )


G

	getdents system call, restricting from returning upgraded names ( )

	getfattrflag command ( )

	getfpriv command, using to save privileges ( )

	getfsattr command ( )

	groups
		deletion precautions ( )
		security requirements ( )


H

	help file, creating ( )

	hexadecimal label equivalents, determining ( )

	host types
		networking ( )
		table of templates and protocols ( )

	hosts, networking concepts ( )

	HSFS
		mounting ( )
		procedure for mounting ( )


I

	icons
		visibility
			in the File Manager ( )
			in the Workspace Menu ( )

	identification and authentication
		before assuming a role ( ) ( )

	IMAP server, adding to NIS+ admin group ( )

	inheritable privileges ( )

	init.d directory, RMTMPFILES script ( )

	initialization files, Trusted Solaris differences ( )

	Interface Manager tool, using ( )

	internationalization, changing printer output ( )

	IP Options, using for trusted routing ( )


J

	Java jar files, installing ( )


K

	kadb command, overriding default setting ( )

	kernel switches
		changing defaults ( )
		configurable ( )

	keyboard shutdown
		changing default ( )
		enabling ( )

	kmem kernel image file ( )


L

	label_encodings file
		procedures
			printing without banners and trailers ( )

	label ranges
		receiving mail outside of ( )
		setting on individual computers ( )
		setting on printers ( )

	labels
		changing on files and directories ( )
		seeing on directories ( )

	libt6 library ( )

	.link_files file
		using ( )
		example ( )
		setting up for users ( )

	links - symbolic, MAC attributes ( )

	list_devices command ( )

	local.login file, defining printers ( )

	LOFS, mounting ( )

	login
		by administrative roles ( ) ( )
		configuring serial line ( )
		maximum allowed number of failures ( )
		opening an account closed by too many failed logins ( )
		preventing being disabled after reboot ( )
		setting the maximum number of failures ( )

	.login file
		setting up for users ( ) ( )

	login sequence ( )

	login shells, assigning to roles ( )


M

	MAC
		cautions about override privileges ( )
		incoming packets
			packets ( )
		outgoing packets ( )
		policy for devices ( )

	mail
		adding IMAP server ( )
		alternate application ( )
		checking network connections ( )
		creating action ( )
		installing alternate mailer ( )
		loss of mail icons ( )
		managing ( ) ( )
		modifying an alias ( )
		options ( ) ( )
		outside label range ( )
		setting up IMAP server ( )
		substituting alternate application ( )
		switching mail tools ( ) ( )
		troubleshooting ( ) ( )
		viewing the mail queue ( )

	Mailing Lists tool, using ( )

	.mailrc file ( )

	man pages
		accessing all ( ) ( )

	Manage All Jobs authorization ( ) ( )

	MANPATH environment variable ( )

	MLDs
		listing user's home directories ( )
		mounting ( )
		mounting on unlabeled hosts ( )
		privilege requirements ( )

	mounts
		managing ( )
		procedure for TMPFS file systems ( )
		troubleshooting ( )


N

	Name Service Switch action ( )

	name services
		actions for managing ( )
		adding a client ( )
		advantages ( )
		databases unique to Trusted Solaris environment ( )
		managing ( )
		saving and restoring databases ( )

	network interfaces
		configuring ( )
		requirements ( )

	networking concepts ( )

	networks
		default labeling ( )
		using templates ( )

	newsecfs command ( )

	NFS, mounting ( )

	NIS+
		adding a NIS+ client ( )
		adding IMAP server ( )
		adding role to admin group ( )
		saving and restoring tables ( )
		viewing table information ( )

	normal user, accessing devices ( )

	nsswitch.conf file, trusted network configuration ( )


O

	object reuse, clearing names of empty directories ( )

	open_priv, policy for devices ( )


P

	packages, accessing the CD ( )

	packets
		IP options ( )
		IP options field ( )
		outgoing
			MAC rules ( )
		security attributes ( )

	passwords
		assigning ( )
		changing allowed tries ( )
		role ( )
		storage ( )

	PCFS, mounting ( )

	permissions, on devices ( )

	polling trusted network databases, changing ( )

	Printer Administrator, launching ( )

	printers, setting label range ( )

	printing
		accessing remote printer ( )
		configuring attached printer ( )
		configuring for labels ( )
		configuring labels and text ( )
		managing ( )
		restricting label range ( )
		using a non-Trusted Solaris server ( )
		without banners and trailers ( )
		without labels ( )
		without page labels ( ) ( )

	priv_name file ( )

	priv_names.h file ( )

	privilege debugging, setting tsol_privs_debug ( )

	privileged commands, run by cron and at ( )

	privileged programs ( )

	privileges
		adding ( )
		adding to software ( )
		allowed ( )
		assigning forced ( )
		changing on files and directories ( )
		debugging ( )
		forced
			assigning ( )
		giving forced ( )
		inheritable ( ) ( )
		non-obvious reasons for requiring ( )
		passing to child processes ( )
		saving and restoring an edited executable ( )

	PROCFS, mounting ( )

	.profile file
		setting up for users ( ) ( )

	profile shell
		enabling privilege ( )
		startup algorithm ( )

	profiles, assigning ( )

	programs
		commercial
			assigning privileges to ( )
		new, trusted
			assigning privileges to ( )
		privilege debugging ( )
		trusted vs. trustworthy ( )


R

	rcp command, required privilege ( )

	real UID of root, required for applications ( )

	reboot, changing device_policy ( )

	remote administration, editor limitations ( )

	remote logins, enabling for roles ( )

	remote role assumption ( )

	remove_allocatable command ( )

	rights, assigning ( )

	rights profiles
		boot ( )
		controlling the use of actions ( )
		creating ( )
		creating new for boot commands ( )
		listing ( )
		modifying ( )

	Rights tool
		specifying privileges for commands and actions ( )
		using ( ) ( ) ( ) ( )
		viewing new actions ( )

	RIPSO
		supported classifications ( )
		use in packets ( )

	roles
		administrative ( )
		assigning login shell ( )
		creating ( ) ( )
		listing ( )
		managing ( )
		modifying ( )
		See administrative roles ( )

	root UID, required for applications ( )

	routers ( )

	routing
		concepts ( ) ( )
		static with emetrics ( )
		tables ( )

	run control scripts
		shell use ( ) ( )

	runpd command ( )


S

	/sbin/sysh shell ( )

	security administrators
		enforcing security ( )
		modifying window configuration files ( )

	security attributes
		file systems ( ) ( )
		modifying user defaults ( ) ( )
		saving to tape ( )
		setting at mount time ( )
		setting for remote hosts ( )
		setting on file system ( )
		setting using newsecfs ( )

	Security Families tool
		assigning templates ( )
		using ( )

	security features, identification and authentication ( )

	security mechanisms, extendable ( )

	security policy
		allowing a wildcard in special boot files ( )
		training users ( ) ( ) ( )

	sel_config file
		changing defaults ( )
		configuring selection transfer rules ( )
		sections ( )

	sel_mgr command ( )

	sendmail command
		tracing mail delivery ( )
		using ( )

	serial line, configuring for logins ( )

	Set Mail Options action ( )

	setfattrflag command ( )

	setfpriv command ( )

	setfsattr command ( )

	shell scripts
		profile ( )
		Trusted Solaris behavior ( )
		user and role requirements ( )
		writing ( )
		writing privileged ( )
		writing privileged using standard shells ( )

	shells
		assigning to accounts ( )
		assigning to roles ( )
		profile ( ) ( )
		profile startup algorithm ( )
		standard ( )
		sysh ( )

	skeleton directories
		defining printers ( )
		use in Trusted Solaris ( )

	software
		exporting ( )
		importing ( )
		installing at ADMIN_LOW ( )
		installing Java programs ( )
		porting
			reasons against ( )
		privilege debugging ( )

	Solaris Management Console
		Administrative Roles tool ( )
		Interface Manager tool ( )
		launching ( )
		Rights tool ( ) ( ) ( ) ( )
		Security Families tool ( )
		User Accounts tool ( ) ( )

	startup files
		configuring accounts ( ) ( )
		.mailrc file ( )
		procedures for customizing ( ) ( )
		read at window system startup ( )
		recovering from errors ( )
		RMTMPFILES ( )

	Stop-A
		changing default ( )
		enabling ( )

	str_type ( )

	symbolic links, MAC attributes ( )

	sysh shell ( )

	System_Admin folder, using administrative actions ( )

	system file, changing defaults ( )

	system security, violations ( )

	system shell, enabling privilege ( )


T

	tape devices
		accessing ( )
		device_clean scripts ( )

	tar, saving security attributes ( )

	TMPFS
		mounting ( )
		procedure for mounting ( )

	tnd polling interval, changing ( )

	Tools subpanel, Device Allocation Manager ( )

	troubleshooting
		loss of mail icons ( )
		mail delivery ( )
		mounts ( )
		sendmail ( )

	trusted_edit script, assigning as default editor ( )

	trusted networking
		0.0.0.0 tnrhdb entry ( )
		fallback mechanism ( )
		host types ( )

	trusted path attribute, when available ( )

	Trusted Path menu ( )

	trusted processes
		defined ( )
		launching actions ( )

	trusted programs
		adding ( )
		defined ( )

	trustworthy programs ( )

	tsol_hide_upgraded_names kernel switch ( )

	tsol_privs_debug kernel switch ( )

	TSOLadmin.dt file, adding an administrative action ( )

	tsolgateways file ( )

	tunnel file
		procedure for creating ( )
		setting up tunneling ( )

	tunnelling, passing emetrics through non-TSOL hosts gateways ( )


U

	UFS, mounting in Trusted Solaris ( )

	UIDs, effective UID of root ( )

	UNIX domain socket, used by cron and its clients ( )

	unlabeled hosts, mounting MLDs ( )

	updatehome command ( )

	upgraded names ( )

	User Accounts tool
		assigning rights profiles ( )
		opening an account closed by too many failed logins ( )
		using ( ) ( )

	User Templates tool
		advantages ( )
		using ( )

	users
		access to devices ( )
		access to printers ( )
		assigning authorizations ( )
		assigning rights ( )
		creating ( ) ( )
		creating templates ( ) ( )
		modifying ( )
		modifying security defaults ( ) ( )
		preventing account locking ( ) ( )
		security training ( ) ( ) ( )
		setting up skeleton directories ( )
		setting up startup files ( ) ( )
		tracking others' jobs ( ) ( )

	/usr/dt/appconfig/appmanager/C/System_Admin file, adding an administrative action ( )

	/usr/dt/appconfig/types/C/TSOLadmin.dt file, adding an administrative action ( )


V

	vi command, aliasing to trusted_edit ( )


W

	window manager ( )

	window system, trusted processes ( )

	Workspace Menu
		as trusted process ( )
		customizing ( )


X

	Xtsolusersession script ( )

Previous: Chapter 13 Adding Software