Oracle Solaris Trusted Extensions Administrator's Procedures

Chapter 3 Getting Started as a Trusted Extensions Administrator (Tasks)

This chapter introduces you to administering a system that is configured with Solaris Trusted Extensions.

What's New in Trusted Extensions

Solaris 10 10/08 – In this release, Trusted Extensions provides the following features:

The Trusted Extensions shared IP stack allows default routes to isolate labeled zones from each other and from the global zone.
The loopback interface, lo0, is an all-zones interface.
Separation of duty can be enforced by role. The System Administrator role creates users, but cannot assign passwords. The Security Administrator role assigns passwords, but cannot create users. For details, see Create Rights Profiles That Enforce Separation of Duty in Oracle Solaris Trusted Extensions Configuration Guide.
This guide includes a list of Trusted Extensions man pages in Appendix B, List of Trusted Extensions Man Pages.

Solaris 10 5/08 – In this release, Trusted Extensions provides the following features:

The service management facility (SMF) manages Trusted Extensions as the svc:/system/labeld service. By default, the labeld service is disabled. When the service is enabled, the system must still be configured and rebooted to enforce Trusted Extensions security policies.
The CIPSO Domain of Interpretation (DOI) number that your system uses is configurable.
- For information about the DOI, see Network Security Attributes in Trusted Extensions.
- To specify a DOI that differs from the default, see Configure the Domain of Interpretation in Oracle Solaris Trusted Extensions Configuration Guide.
Trusted Extensions recognizes CIPSO labels in NFS Version 3 (NFSv3) mounted file systems, as well as in NFS Version 4 (NFSv4). Therefore, you can mount NFSv3 file systems on a Trusted Extensions system as a labeled file system. To use udp as an underlying protocol for multilevel mounts in NFSv3, see How to Configure a Multilevel Port for NFSv3 Over udp.
The name service cache daemon, nscd, can be configured to run in every labeled zone at the label of the zone.

Security Requirements When Administering Trusted Extensions

In Trusted Extensions, roles are the conventional way to administer the system. Typically, superuser is not used. Roles are created just as they are in the Solaris OS, and most tasks are performed by roles. In Trusted Extensions, the root user is not used to perform administrative tasks.

The following roles are typical of a Trusted Extensions site:

root role – Created by the initial setup team
Security Administrator role – Created during or after initial configuration by the initial setup team
System Administrator role – Created by the Security Administrator role

As in the Solaris OS, you might also create a Primary Administrator role, an Operator role, and so on. With the exception of the root role, the roles that you create can be administered in a naming service.

As in the Solaris OS, only users who have been assigned a role can assume that role. In Solaris Trusted Extensions (CDE), you can assume a role from a desktop menu called the Trusted Path menu. In Solaris Trusted Extensions (JDS), you can assume a role when your user name is displayed in the Trusted Stripe. The role choices appear when you click your user name.

Role Creation in Trusted Extensions

To administer Trusted Extensions, you create roles that divide system and security functions. The initial setup team created the Security Administrator role during configuration. For details, see Create the Security Administrator Role in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.

The process of creating a role in Trusted Extensions is identical to the Solaris OS process. As described in Chapter 2, Trusted Extensions Administration Tools, the Solaris Management Console is the GUI for managing roles in Trusted Extensions.

For an overview of role creation, see Chapter 10, Role-Based Access Control (Reference), in System Administration Guide: Security Services and Using RBAC (Task Map) in System Administration Guide: Security Services.
To create a powerful role that is equivalent to superuser, see Creating the Primary Administrator Role in System Administration Guide: Basic Administration. At sites that use Trusted Extensions, the Primary Administrator role might violate security policy. These sites would turn root into a role, and create a Security Administrator role.
To create the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.
To create roles by using the Solaris Management Console, see How to Create and Assign a Role by Using the GUI in System Administration Guide: Security Services.

Role Assumption in Trusted Extensions

Unlike the Solaris OS, Trusted Extensions provides an Assume Rolename Role menu item from the Trusted Path menu. After confirming the role password, the software activates a role workspace with the trusted path attribute. Role workspaces are administrative workspaces. Such workspaces are in the global zone.

Getting Started as a Trusted Extensions Administrator (Task Map)

Familiarize yourself with the following procedures before administering Trusted Extensions.

Task	Description	For Instructions
Log in.	Logs you in securely.	Logging In to Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide
Perform common user tasks on a desktop.	These tasks include: Configuring your workspaces Using workspaces at different labels Accessing Trusted Extensions man pages Accessing Trusted Extensions online help	Working on a Labeled System in Oracle Solaris Trusted Extensions User’s Guide
Perform tasks that require the trusted path.	These tasks include: Allocating a device Changing your password Changing the label of a workspace	Performing Trusted Actions in Oracle Solaris Trusted Extensions User’s Guide
Create useful roles.	Creates administrative roles for your site. Creating roles in LDAP is a one-time task. The Security Administrator role is a useful role.	Role Creation in Trusted Extensions Create the Security Administrator Role in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide
(Optional) Make `root` a role.	Prevents anonymous login by `root`. This task is done once per system.	How to Make root User Into a Role in System Administration Guide: Security Services
Assume a role.	Enters the global zone in a role. All administrative tasks are performed in the global zone.	How to Enter the Global Zone in Trusted Extensions
Exit a role workspace and become regular user.	Leaves the global zone.	How to Exit the Global Zone in Trusted Extensions
Locally administer users, roles, rights, zones, and networks.	Uses the Solaris Management Console to manage the distributed system.	How to Administer the Local System With the Solaris Management Console
Administer the system by using Trusted CDE actions.	Uses the administrative actions in the Trusted_Extensions folder.	How to Start CDE Administrative Actions in Trusted Extensions
Edit an administrative file.	Edits files in a trusted editor.	How to Edit Administrative Files in Trusted Extensions
Administer device allocation.	Uses the Device Allocation Manager – Device Administration GUI.	Managing Devices in Trusted Extensions (Task Map)

How to Enter the Global Zone in Trusted Extensions

By assuming a role, you enter the global zone in Trusted Extensions. Administration of the entire system is possible only from the global zone. Only superuser or a role can enter the global zone.

After assuming a role, the role can create a workspace at a user label to edit administration files in a labeled zone.

For troubleshooting purposes, you can also enter the global zone by starting a Failsafe session. For details, see How to Log In to a Failsafe Session in Trusted Extensions.

Before You Begin

You have created one or more roles, or you plan to enter the global zone as superuser. For pointers, see Role Creation in Trusted Extensions.

Use a trusted mechanism.
- In Solaris Trusted Extensions (JDS), click your user name in the trusted stripe and choose a role.
  
  If you have been assigned a role, the role names are displayed in a list.
  
  For the location and significance of Trusted Extensions desktop features, see Chapter 4, Elements of Trusted Extensions (Reference), in Oracle Solaris Trusted Extensions User’s Guide.
- In Solaris Trusted Extensions (CDE), open the Trusted Path menu.
  1. Click mouse button 3 over the workspace switch area.
  2. Choose Assume rolename Role from the Trusted Path menu.

At the prompt, type the role password.

In Trusted CDE, a new role workspace is created, the workspace switch button changes to the color of the role desktop, and the title bar above each window shows Trusted Path. In Trusted JDS, the current workspace changes to the role workspace.

In Trusted CDE, you leave a role workspace by using the mouse to choose a regular user workspace. You can also delete the last role workspace to exit a role. In Trusted JDS, you click the role name on the trusted stripe, and from the menu, select a different role or user. This action changes the current workspace to the process of the new role or user.

How to Exit the Global Zone in Trusted Extensions

The menu locations for exiting a role are different in Trusted JDS and Trusted CDE.

Before You Begin

You are in the global zone.

On both desktops, you can click a user workspace in the Workspace Switch area.

You can also exit the role workspace, and therefore the global zone, by doing one of the following:
- In Trusted JDS, click your role name in the trusted stripe.
  
  When you click the role name, your user name and a list of roles that you can assume is displayed. When you select your user name, all subsequent windows that you create in that workspace are created by the selected name. The windows that you previously created on the current desktop continue to display at the name and label of the role.
  
  If you choose a different role name, you remain in the global zone in a different role.
- In Trusted CDE, delete the role workspace.
  
  Click mouse button 3 over the workspace button and select Delete. You are returned to the last workspace you occupied.

How to Administer the Local System With the Solaris Management Console

The first time that you launch the Solaris Management Console on a system, a delay occurs while the tools are registered and various directories are created. This delay typically occurs during system configuration. For the procedure, see Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.

To administer a remote system, see Administering Trusted Extensions Remotely (Task Map).

Before You Begin

You must have assumed a role. For details, see How to Enter the Global Zone in Trusted Extensions.

Start the Solaris Management Console.

In Solaris Trusted Extensions (JDS), use the command line.
$ /usr/sbin/smc &
In Trusted CDE, you have three choices.
- Use the smc command in a terminal window.
- From the Tools pull-up menu on the Front Panel, click the Solaris Management Console icon.
- In the Trusted_Extensions folder, double-click the Solaris Management Console icon.

Choose Console -> Open Toolbox.

From the list, select a Trusted Extensions toolbox of the appropriate scope.

A Trusted Extensions toolbox has Policy=TSOL as part of its name. The Files scope updates local files on the current system. The LDAP scope updates LDAP directories on the Sun Java^TM System Directory Server. The toolbox names appear similar to the following:
This Computer (this-host: Scope=Files, Policy=TSOL) This Computer (ldap-server: Scope=LDAP, Policy=TSOL)

Navigate to the desired Solaris Management Console tool.

The password prompt is displayed.

For tools that Trusted Extensions has modified, click System Configuration.

Type the password.

Refer to the online help for additional information about Solaris Management Console tools. For an introduction to the tools that Trusted Extensions modifies, see Solaris Management Console Tools.

To close the GUI, choose Exit from the Console menu.

How to Start CDE Administrative Actions in Trusted Extensions

Assume a role.

For details, see How to Enter the Global Zone in Trusted Extensions.

In Trusted CDE, bring up the Application Manager.
1. Click mouse button 3 on the background to bring up the Workspace menu.
2. Click Applications, then click the Application Manager menu item.
  
  The Trusted_Extensions folder is in the Application Manager.

Open the Trusted_Extensions folder.

Double-click the appropriate icon.

For a list of administrative actions, see Trusted CDE Actions.

How to Edit Administrative Files in Trusted Extensions

Administrative files are edited with a trusted editor that incorporates auditing. This editor also prevents the user from executing shell commands and from saving to any file name other than the name of the original file.

Assume a role.

For details, see How to Enter the Global Zone in Trusted Extensions.

Open a trusted editor.
- In Solaris Trusted Extensions (CDE), do the following:
  1. To bring up the editor, click mouse button 3 on the background to bring up the Workspace menu.
  2. Click Applications, then click the Application Manager menu item.
    
    The Trusted_Extensions folder is in the Application Manager.
  3. Open the Trusted_Extensions folder.
  4. Double-click the Admin Editor action.
    
    You are prompted to provide a file name. For the format, see Step 3 and Step 4.
- In Solaris Trusted Extensions (JDS), do the following:
  - (Optional) To use gedit as the trusted editor, modify the EDITOR variable.
    
    For details, see How to Assign the Editor of Your Choice as the Trusted Editor.
  - Use the command line to bring up the trusted editor.
    # /usr/dt/bin/trusted_edit filename
    You must provide a filename argument.

To create a new file, type the full path name for the new file.

When you save the file, the editor creates a temporary file.

To edit an existing file, type the full path name for the existing file.

Note –
If your editor provides a Save As option, do not use it. Use the editor's Save option to save the file.

To save the file to the specified path name, close the editor.