SunSHIELD Basic Security Module Guide

Chapter 1 Installation

Starting with the Solaris 2.3 release, BSM has been included in the full release and is part of the release media. You do not need to install BSM separately because BSM is now enabled or disabled by running one of two simple scripts. All of the BSM software is included in the initial system installation, provided you install the following packages:

The following procedures should be performed only by root. Additionally, the commands should be run only on a server or standalone system and never on a diskless client.

Enabling BSM

After becoming root, bring the system into the single-user mode using telinit (see the init(1M) man page).


# /etc/telinit 1

In single-user mode, change directories to the /etc/security directory, and execute the bsmconv script located there. The script sets up a standard Solaris machine to run BSM after a reboot.


# cd /etc/security
# ./bsmconv

After the script finishes, halt the system with the telinit command. Then reboot the system to bring it up as a multiuser BSM system.


# /etc/telinit 6

Note -

The bsmconv script adds a line to /etc/system to disable the ability to abort the system using the Stop-a keyboard sequence. If you want to retain the ability to abort the system using the Stop-a keyboard sequence, you must comment out the line that reads "set abort_enable = 0" in /etc/system.


Disabling BSM

If at some point BSM is no longer required, you can disable it by running bsmunconv (see the bsmconv(1M) man page). Again, first bring the system into the single-user mode using telinit, then change to the /etc/security directory and run bsmunconv.


# /etc/telinit 1
# cd /etc/security
# ./bsmunconv

After unconverting the system, reboot it to run as a multiuser Solaris machine.


# /etc/telinit 6

Note -

The bsunmconv script removes the line in /etc/system which disables the ability to abort the system using the Stop-a keyboard sequence. If you want to continue to disable the ability to abort the system using the Stop-a keyboard sequence after running the bsunconv script, you must reenter a line that reads "set abort_enable = 0" in /etc/system.


BSM and Client-Server Relationships

The Solaris 2.1 release required two additional procedures for adding and deleting diskless clients from a BSM-enabled system. With the inclusion of BSM in the Solaris 2.3 and later releases, those procedures are no longer necessary. Enabling BSM on a server now automatically enables the BSM features on all of that server's clients.