Solaris Trusted Extensions Administrator's Procedures
Previous Next

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

Setting Up the Global Zone in Trusted Extensions

Creating Labeled Zones

Adding Network Interfaces and Routing to Labeled Zones

Creating Roles and Users in Trusted Extensions

Creating Home Directories in Trusted Extensions

Adding Users and Hosts to an Existing Trusted Network

Troubleshooting Your Trusted Extensions Configuration

Additional Trusted Extensions Configuration Tasks

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Tasks)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Using CDE Actions to Install Zones in Trusted Extensions

Associating Network Interfaces With Zones by Using CDE Actions (Task Map)

Preparing to Create Zones by Using CDE Actions (Task Map)

Creating Labeled Zones by Using CDE Actions (Task Map)

C.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

D.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

E.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Adding Users and Hosts to an Existing Trusted Network

If you have users who are defined in NIS maps, you can add them to your network.

To add hosts and labels to hosts, see the following procedures:

Add an NIS User to the LDAP Server

Before You Begin

You must be superuser, in the root role, or in the Primary Administrator role.

  1. From the NIS database, gather the information that you need.
    1. Create a file from the user's entry in the aliases database.
      % ypcat -k aliases | grep login-name > aliases.name
    2. Create a file from the user's entry in the passwd database.
      % ypcat -k passwd | grep "Full Name" > passwd.name
    3. Create a file from the user's entry in the auto_home_ database.
      % ypcat -k auto_home | grep login-name > auto_home_label
  2. Reformat the information for LDAP and Trusted Extensions.
    1. Use the sed command to reformat the aliases entry.
      % sed 's/ /:/g' aliases.login-name > aliases
    2. Use the nawk command to reformat the passwd entry.
      % nawk -F: '{print $1":x:"$3":"$4":"$5":"$6":"$7}' passwd.name > passwd
    3. Use the nawk command to create a shadow entry.
      % nawk -F: '{print $1":"$2":6445::::::"}' passwd.name > shadow
    4. Use the nawk command to create a user_attr entry.
      % nawk -F: '{print $1"::::lock_after_retries=yes-or-no;profiles=user-profile, ...;
labelview=int-or-ext,show-or-hide;min_label=min-label;
clearance=max-label;type=normal;roles=role-name,...;
auths=auth-name,..."}' passwd.name > user_attr
  3. Copy the modified files to the /tmp directory on the LDAP server.
    # cp aliases auto_home_internal passwd shadow user_attr /tmp/name
  4. Add the entries in the files in Step 3 to the databases on the LDAP server.
    # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
-a simple -f /tmp/name/aliases aliases
# /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
-a simple -f /tmp/name/auto_home_internal auto_home_internal
# /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
-a simple -f /tmp/name/passwd passwd
# /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
-a simple -f /tmp/name/shadow shadow
# /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
-a simple -f /tmp/name/user_attr user_attr
Example 4-8 Adding a User From an NIS Database to the LDAP Server

In the following example, the administrator adds a new user to the trusted network. The user's information is stored originally in an NIS database. To protect the LDAP server password, the administrator runs the ldapaddent commands on the server.

In Trusted Extensions, the new user can allocate devices and assume the Operator role. Because the user can assume a role, the user account does not get locked out. The user's minimum label is PUBLIC. The label at which the user works is INTERNAL, so jan is added to the auto_home_internal database. The auto_home_internal database automounts jan's home directory with read-write permissions.

  • On the LDAP server, the administrator extracts user information from NIS databases.

    # ypcat -k aliases | grep jan.doe > aliases.jan
# ypcat passwd | grep "Jan Doe" > passwd.jan
# ypcat -k auto_home | grep jan.doe > auto_home_internal

  • Then, the administrator reformats the entries for LDAP.

    # sed 's/ /:/g' aliases.jan > aliases
# nawk -F: '{print $1":x:"$3":"$4":"$5":"$6":"$7}' passwd.jan > passwd
# nawk -F: '{print $1":"$2":6445::::::"}' passwd.jan > shadow

  • Then, the administrator creates a user_attr entry for Trusted Extensions.

    # nawk -F: '{print $1"::::lock_after_retries=no;profiles=Media User;
labelview=internal,showsl;min_label=0x0002-08-08;
clearance=0x0004-08-78;type=normal;roles=oper;
auths=solaris.device.allocate"}' passwd.jan > user_attr

  • Then, the administrator copies the files to the /tmp/jan directory.

    # cp aliases auto_home_internal passwd shadow user_attr /tmp/jan

  • Finally, the administrator populates the server with the files in the /tmp/jan directory.

    # /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \
-a simple -f /tmp/jan/aliases aliases
# /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \
-a simple -f /tmp/jan/auto_home_internal auto_home_internal
# /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \
-a simple -f /tmp/jan/passwd passwd
# /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \
-a simple -f /tmp/jan/shadow shadow
# /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \
-a simple -f /tmp/jan/user_attr user_attr
Previous Next