JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions (Tasks)

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions (Tasks)

14.  Managing and Mounting Files in Trusted Extensions (Tasks)

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

Handling Devices in Trusted Extensions (Task Map)

Using Devices in Trusted Extensions (Task Map)

Managing Devices in Trusted Extensions (Task Map)

How to Configure a Device in Trusted Extensions

How to Revoke or Reclaim a Device in Trusted Extensions

How to Protect Nonallocatable Devices in Trusted Extensions

How to Add a Device_Clean Script in Trusted Extensions

Customizing Device Authorizations in Trusted Extensions (Task Map)

How to Create New Device Authorizations

How to Add Site-Specific Authorizations to a Device in Trusted Extensions

How to Assign Device Authorizations

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions (Reference)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Customizing Device Authorizations in Trusted Extensions (Task Map)

The following task map describes procedures to change device authorizations at your site.

Task
Description
For Instructions
Create new device authorizations.
Creates site-specific authorizations.
Add authorizations to a device.
Adds site-specific authorizations to selected devices.
Assign device authorizations to users and roles.
Enables users and roles to use the new authorizations.

How to Create New Device Authorizations

If no authorization is specified at the time a device is created, by default, all users can use the device. If an authorization is specified, then, by default, only authorized users can use the device.

To prevent all access to an allocatable device without using authorizations, see Example 21-1.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Edit the auth_attr file.
  2. Create a heading for the new authorizations.

    Use the reverse-order Internet domain name of your organization followed by optional additional arbitrary components, such as the name of your company. Separate components by dots. End heading names with a dot.

    domain-suffix.domain-prefix.optional.:::Company Header::help=Company.html
  3. Add new authorization entries.

    Add the authorizations, one authorization per line. The lines are split for display purposes. The authorizations include grant authorizations that enable administrators to assign the new authorizations.

    domain-suffix.domain-prefix.grant:::Grant All Company Authorizations::
    help=CompanyGrant.html
    domain-suffix.domain-prefix.grant.device:::Grant Company Device Authorizations::
    help=CompanyGrantDevice.html
    domain-suffix.domain-prefix.device.allocate.tape:::Allocate Tape Device::
    help=CompanyTapeAllocate.html
    domain-suffix.domain-prefix.device.allocate.floppy:::Allocate Floppy Device::
    help=CompanyFloppyAllocate.html
  4. Save the file and close the editor.
  5. If you are using LDAP as your naming service, update the auth_attr entries on the Oracle Directory Server Enterprise Edition (Directory Server).

    For information, see the ldapaddent(1M) man page.

  6. Add the new authorizations to the appropriate rights profiles. Then assign the profiles to users and roles.
  7. Use the authorization to restrict access to tape and diskette drives.

    Add the new authorizations to the list of required authorizations in the Device Manager. For the procedure, see How to Add Site-Specific Authorizations to a Device in Trusted Extensions.

Example 21-2 Creating Fine-Grained Device Authorizations

A security administrator for NewCo needs to construct fine-grained device authorizations for the company.

First, the administrator writes the following help files, and places the files in the /usr/lib/help/auths/locale/C directory:

Newco.html
NewcoGrant.html
NewcoGrantDevice.html
NewcoTapeAllocate.html
NewcoFloppyAllocate.html

Next, the administrator adds a header for all of the authorizations for newco.com in the auth_attr file.

# auth_attr file
com.newco.:::NewCo Header::help=Newco.html

Next, the administrator adds authorization entries to the file:

com.newco.grant:::Grant All NewCo Authorizations::
help=NewcoGrant.html
com.newco.grant.device:::Grant NewCo Device Authorizations::
help=NewcoGrantDevice.html
com.newco.device.allocate.tape:::Allocate Tape Device::
help=NewcoTapeAllocate.html
com.newco.device.allocate.floppy:::Allocate Floppy Device::
help=NewcoFloppyAllocate.html

The lines are split for display purposes.

The auth_attr entries create the following authorizations:

Example 21-3 Creating Trusted Path and Non-Trusted Path Authorizations

By default, the Allocate Devices authorization enables allocation from the trusted path and from outside the trusted path.

In the following example, site security policy requires restricting remote CD-ROM allocation. The security administrator creates the com.someco.device.cdrom.local authorization. This authorization is for CD-ROM drives that are allocated with the trusted path. The com.someco.device.cdrom.remote authorization is for those few users who are allowed to allocate a CD-ROM drive outside the trusted path.

The security administrator creates the help files, adds the authorizations to the auth_attr database, adds the authorizations to the devices, and then places the authorizations in rights profiles. The profiles are assigned to users who are allowed to allocate devices.

How to Add Site-Specific Authorizations to a Device in Trusted Extensions

Before You Begin

You must be in the Security Administrator role, or in a role that includes the Configure Device Attributes authorization. You must have already created site-specific authorizations, as described in How to Create New Device Authorizations.

  1. Follow the How to Configure a Device in Trusted Extensions procedure.
    1. Select a device that needs to be protected with your new authorizations.
    2. Click the Administration button.
    3. Click the Authorizations button.

      The new authorizations are displayed in the Not Required list.

    4. Add the new authorizations to the Required list of authorizations.
  2. To save your changes, click OK.

How to Assign Device Authorizations

The Allocate Device authorization enables users to allocate a device. The Allocate Device authorization, and the Revoke or Reclaim Device authorization, are appropriate for administrative roles.

Before You Begin

You must be in the Security Administrator role in the global zone.

If the existing profiles are not appropriate, the security administrator can create a new profile. For an example, see How to Create a Rights Profile for Convenient Authorizations.

Example 21-4 Assigning New Device Authorizations

In this example, the security administrator configures the new device authorizations for the system and assigns the rights profile with the new authorizations to trustworthy users. The security administrator does the following:

  1. Creates new device authorizations, as in How to Create New Device Authorizations

  2. In the Device Manager, adds the new device authorizations to the tape and diskette drives

  3. Places the new authorizations in the rights profile, NewCo Allocation

  4. Adds the NewCo Allocation rights profile to the profiles of users and roles who are authorized to allocate tape and diskette drives

Authorized users and roles can now use the tape drives and diskette drives on this system.