test

Trusted Solaris Administrator's Procedures

To Create a New File Edit Action

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Launch the Admin Editor action to open the /usr/dt/appconfig/types/C/TSOLadmin.dt file for editing.

    See "To Log In and Assume a Role", and "To Edit a Local File", if needed.

  3. Copy and paste the definition for one of the existing actions in the TSOLadmin.dt file.

    The example in this procedure modifies a copy of the Vfstab action.


    ACTION Vfstab
{
        LABEL        Set Mount Points
        ICON         Dtpenpd
        TYPE         COMMAND
        WINDOW_TYPE  NO_STDIO
        EXEC_STRING  /usr/dt/bin/trusted_edit /etc/vfstab
        DESCRIPTION  Specify the file system mount points
}

  4. Modify the copied action's definitions.

    1. Change the ACTION name.

      This example creates a new action to edit the /etc/system file to modify Trusted Solaris kernel switch settings.


      ACTION EditSystemFile
{

    2. Change the LABEL.


      LABEL            Edit System File

    3. Change the ICON, if you have created a new icon or want to use another existing one from /usr/dt/appconfig/icons/C.


      ICON           Dtpenpd

    4. Change the file name in the EXEC_STRING.


      EXEC_STRING      /usr/dt/bin/trusted_edit /etc/system

    5. Change the text in the DESCRIPTION. 


      DESCRIPTION        Modify system file
}

  5. Save and close the TSOLadmin.dt file.


    :wq

  6. Copy and rename the Vfstab action file.

    1. Go to /usr/dt/appconfig/appmanager/C/System_Admin.

    2. Clone the Vfstab file and rename it to the name of the new action.

      For example, rename Vfstab to EditSystemFile.

    3. Make the action file executable.

      Select the Permissions option on the File Manager's File menu and set the permissions to executable for owner, group, and other, or enter the following on the command line:


      $ chmod 777 EditSystemFile

  7. In the System Administrator role, copy the modified TSOLadmin.dt and action files to every host in the domain.

    Since actions are not administered through the name service, some other means of distribution must be used, such as rdist(1) or sneakernet (copying the files to a floppy and carrying it around to install the files on each host).

  8. In the Security Administrator role, bring up the Solaris Management Console, choosing the appropriate name service scope.

    To make the action available only to one host, choose the Files scope on the host.

  9. Click Users and provide a password when prompted.

  10. Double-click the Rights tool, then double-click either the Information Security profile or the Object Access Management profile.

    The Properties dialog box for the Right displays.

    1. If the action edits a security-relevant file, such as the /etc/system file, open the Information Security profile.

    2. If the action edits an administrative file that would normally be modified by a UNIX system administrator and that does not contain labels or other security attributes, such as the group file, open the System Management profile.

  11. Click Actions, then System_Admin in the Actions Denied column.

    The new action should be listed. Refer to the online help for assistance.

  12. Add the action to the rights profile, and assign to the action the same privileges that are assigned to the Set Mount Points action: file_dac_read, file_dac_write, proc_audit_appl, proc_audit_tcb.

  13. To make the action usable, log out and log in again.