Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Trusted Extensions Administrator's Procedures Oracle Solaris 10 8/11 Information Library |
1. Trusted Extensions Administration Concepts
2. Trusted Extensions Administration Tools
3. Getting Started as a Trusted Extensions Administrator (Tasks)
4. Security Requirements on a Trusted Extensions System (Overview)
5. Administering Security Requirements in Trusted Extensions (Tasks)
6. Users, Rights, and Roles in Trusted Extensions (Overview)
7. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
8. Remote Administration in Trusted Extensions (Tasks)
9. Trusted Extensions and LDAP (Overview)
10. Managing Zones in Trusted Extensions (Tasks)
11. Managing and Mounting Files in Trusted Extensions (Tasks)
12. Trusted Networking (Overview)
13. Managing Networks in Trusted Extensions (Tasks)
14. Multilevel Mail in Trusted Extensions (Overview)
15. Managing Labeled Printing (Tasks)
16. Devices in Trusted Extensions (Overview)
17. Managing Devices for Trusted Extensions (Tasks)
Handling Devices in Trusted Extensions (Task Map)
Using Devices in Trusted Extensions (Task Map)
Managing Devices in Trusted Extensions (Task Map)
How to Configure a Device in Trusted Extensions
How to Revoke or Reclaim a Device in Trusted Extensions
How to Protect Nonallocatable Devices in Trusted Extensions
How to Configure a Serial Line for Logins
How to Configure an Audio Player Program for Use in Trusted CDE
How to Prevent the File Manager From Displaying After Device Allocation
Customizing Device Authorizations in Trusted Extensions (Task Map)
How to Create New Device Authorizations
How to Add Site-Specific Authorizations to a Device in Trusted Extensions
How to Assign Device Authorizations
18. Trusted Extensions Auditing (Overview)
19. Software Management in Trusted Extensions (Tasks)
A. Quick Reference to Trusted Extensions Administration
The following task map describes procedures to protect devices at your site.
|
By default, an allocatable device has a label range from ADMIN_LOW to ADMIN_HIGH and must be allocated for use. Also, users must be authorized to allocate the device. These defaults can be changed.
The following devices can be allocated for use:
audion – Indicates a microphone and speaker
cdromn – Indicates a CD-ROM drive
floppyn – Indicates a diskette drive
mag_tapen – Indicates a tape drive (streaming)
rmdiskn – Indicates a removable disk, such as a JAZ or ZIP drive, or USB hot-pluggable media
Before You Begin
You must be in the Security Administrator role in the global zone.
The Device Allocation Manager appears.
Click Device Administration, then highlight the device. The following figure shows a CD-ROM drive with default security settings.
Click the Min Label... button. Choose a minimum label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.
Click the Max Label... button. Choose a maximum label from the label builder.
In the Device Allocation Configuration dialog box, under For Allocations From Trusted Path, select an option from the Allocatable By list. By default, the Authorized Users option is checked. Therefore, the device is allocatable and users must be authorized.
When configuring a printer, frame buffer, or other device that must not be allocatable, select No Users.
In the For Allocations From Non-Trusted Path section, select an option from the Allocatable By list. By default, the Same As Trusted Path option is checked.
The following dialog box shows the solaris.device.allocate authorization is required to allocate the cdrom0 device.
To create and use site-specific device authorizations, see Customizing Device Authorizations in Trusted Extensions (Task Map).
If a device is not listed in the Device Allocation Manager, it might already be allocated or it might be in an allocate error state. The system administrator can recover the device for use.
Before You Begin
You must be in the System Administrator role in the global zone. This role includes the solaris.device.revoke authorization.
In the following figure, the audio device is already allocated to a user.
Select the device name and check the State field.
The No Users option in the Allocatable By section of the Device Configuration dialog box is used most often for the frame buffer and printer, which do not have to be allocated to be used.
Before You Begin
You must be in the Security Administrator role in the global zone.
Click the Min Label... button. Choose a minimum label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.
Click the Max Label... button. Choose a maximum label from the label builder.
Example 17-1 Preventing Remote Allocation of the Audio Device
The No Users option in the Allocatable By section prevents remote users from hearing conversations around a remote system.
The security administrator configures the audio device in the Device Allocation Manager as follows:
Device Name: audio For Allocations From: Trusted Path Allocatable By: Authorized Users Authorizations: solaris.device.allocate
Device Name: audio For Allocations From: Non-Trusted Pathh Allocatable By: No Users
Before You Begin
You must be in the Security Administrator role in the global zone.
Figure 17-1 Serial Ports Tool in the Solaris Management Console
Provide a password when prompted. Follow the online help to configure the serial port.
The default label range is ADMIN_LOW to ADMIN_HIGH.
Example 17-2 Restricting the Label Range of a Serial Port
After creating a serial login device, the security administrator restricts the label range of the serial port to a single label, Public. The administrator sets the following values in the Device Administration dialog boxes.
Device Name: /dev/term/[a|b] Device Type: tty Clean Program: /bin/true Device Map: /dev/term/[a|b] Minimum Label: Public Maximum Label: Public Allocatable By: No Users
The following procedure enables an audio player to open automatically in a Trusted CDE workspace when a user inserts a music CD. For the user's procedure, see the example in How to Allocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.
Note - In a Trusted JDS workspace, users specify the behavior of removable media just as they specify it in a non-trusted workspace.
Before You Begin
You must be in the System Administrator role in the global zone.
Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.
action media action_program.so path-to-program
Example 17-3 Configuring an Audio Player Program for Use
In the following example, the system administrator makes the workman program available to all users of a system. The workman program is an audio player program.
# /etc/rmmount.conf file action cdrom action_workman.so /usr/local/bin/workman
By default, the File Manager displays when a device is mounted. If you are not mounting devices that have file systems, you might want to prevent the File Manager from displaying.
Before You Begin
You must be in the System Administrator role in the global zone.
Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.
action cdrom action_filemgr.so action floppy action_filemgr.so
The following example shows the action_filemgr.so actions commented out for both the cdrom and diskette devices.
# action cdrom action_filemgr.so # action floppy action_filemgr.so
When a CDROM or diskette is allocated, the File Manager does not display.
If no device_clean script is specified at the time a device is created, the default script, /bin/true, is used.
Before You Begin
Have ready a script that purges all usable data from the physical device and that returns 0 for success. For devices with removable media, the script attempts to eject the media if the user does not do so. The script puts the device into the allocate error state if the medium is not ejected. For details about the requirements, see the device_clean(5) man page.
You must be in the System Administrator role in the global zone.