This chapter provides step-by-step instructions for protecting devices, in addition to a reference section. The following is a list of the information in this chapter.Configuring Devices (Task Map) Configuring Device Policy (Task Map) Managing Device Allocation (Task Map) Allocating Devices (Task Map) Device Protection (Reference) For overview information about device protection, see Controlling Access to Devices. task mapsdevices task mapsconfiguring devices configuringdevices task map The following task map points to tasks for managing access to devices.Task For Instructions Manage device policy Configuring Device Policy (Task Map) Manage device allocation Managing Device Allocation (Task Map) Use device allocation Allocating Devices (Task Map) task mapsdevice policy task mapsmanaging device policy task mapsconfiguring device policy devicesmanaging device policymanaging devices device policytask map administeringdevice policy configuringdevice policy The following task map points to device configuration procedures that are related to device policy.Task Description For Instructions View the device policy for the devices on your system Lists the devices and their device policy. How to View Device Policy Require privilege for device use Uses privileges to protect a device. How to Change the Device Policy on an Existing Device Remove privilege requirements from a device Removes or lessens the privileges that are required to access a device. Example 5–3 Audit changes in device policy Records changes in device policy in the audit trail How to Audit Changes in Device Policy Access /dev/arp Gets Solaris IP MIB-II information. How to Retrieve IP MIB-II Information From a /dev/* Device device managementdevice policy devicesdevice allocationdevice allocation device policyconfiguring accessrestricting fordevicesaccesssecuritydevicesDevice policy restricts or prevents access to devices that are integral to the system. The policy is enforced in the kernel.new featurescommandsgetdevpolicy device policyviewing listingdevice policy policieson devices devicesviewing device policy viewingdevice policy deviceslisting displayingdevice policy Display the device policy for all devices on your system.% getdevpolicy | more DEFAULT read_priv_set=none write_priv_set=none ip:* read_priv_set=net_rawaccess write_priv_set=net_rawaccess … In this example, the device policy for three devices is displayed.% getdevpolicy /dev/allkmem /dev/ipsecesp /dev/hme /dev/allkmem read_priv_set=all write_priv_set=all /dev/ipsecesp read_priv_set=sys_net_config write_priv_set=sys_net_config /dev/hme read_priv_set=net_rawaccess write_priv_set=net_rawaccess device policychanging changingdevice policy addingsecurity to devices devicesadding device policy deviceschanging device policy update_drv commandusing device policyupdate_drv command Assume a role that includes the Device Security rights profile, or become superuser.The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9–3. Add policy to a device.# update_drv -a -p policy device-driveraSpecifies a policy for device-driver. p policyIs the device policy for device-driver. Device policy specifies two sets of privileges. One set is required to read the device. The other set is required to write to the device. device-driverIs the device driver. For more information, see the update_drv1M man page. In the following example, device policy is added to the ipnat device.# getdevpolicy /dev/ipnat /dev/ipnat read_priv_set=none write_priv_set=none # update_drv -a \ -p 'read_priv_set=net_rawaccess write_priv_set=net_rawaccess' ipnat # getdevpolicy /dev/ipnat /dev/ipnat read_priv_set=net_rawaccess write_priv_set=net_rawaccess devicesremoving policy removingpolicy from device removingdevice policy device policyremoving from device In the following example, the read set of privileges is removed from the device policy for the ipnat device.# getdevpolicy /dev/ipnat /dev/ipnat read_priv_set=net_rawaccess write_priv_set=net_rawaccess # update_drv -a -p write_priv_set=net_rawaccess ipnat # getdevpolicy /dev/ipnat /dev/ipnat read_priv_set=none write_priv_set=net_rawaccess devicesauditing policy changes auditingchanges in device policy device policyauditing changes By default, the as audit class includes the AUE_MODDEVPLCY audit event. &rolePAstep;Preselect the audit class that includes AUE_MODDEVPLCY audit event.Add the as class to the flags line of the audit_control file. The file would appear similar to the following:# audit_control file dir:/var/audit flags:lo,as minfree:20 naflags:loFor detailed instructions, see How to Modify the audit_control File. devicesgetting IP MIB-II information IP MIB-IIgetting information from /dev/arp /dev/arp devicegetting IP MIB-II information Applications that retrieve Solaris IP MIB-II information should open /dev/arp, not /dev/ip. Determine the device policy on /dev/ip and /dev/arp.% getdevpolicy /dev/ip /dev/arp /dev/ip read_priv_set=net_rawaccess write_priv_set=net_rawaccess /dev/arp read_priv_set=none write_priv_set=noneNote that the net_rawaccess privilege is required for reading and writing to /dev/ip. No privileges are required for /dev/arp. Open /dev/arp and push the tcp and udp modules.No privileges are required. This method is equivalent to opening /dev/ip and pushing the arp, tcp and udp modules. Because opening /dev/ip now requires a privilege, the /dev/arp method is preferred. task mapsmanaging device allocation task mapsdevice allocation administeringdevice allocation configuringdevice allocation managingdevice allocation task map managingdevices device allocationadding devices device allocationmanaging devices device allocationtask map devicesmanaging allocation of The following task map points to procedures that enable and configure device allocation. Device allocation is not enabled by default. After device allocation is enabled, see Allocating Devices (Task Map).Task Description For Instructions Make a device allocatable Enables a device to be allocated to one user at a time. How to Make a Device Allocatable Authorize users to allocate a device Assigns device allocation authorizations to users. How to Authorize Users to Allocate a Device View the allocatable devices on your system Lists the devices that are allocatable, and the state of the device. How to View Allocation Information About a Device Forcibly allocate a device Allocates a device to a user who has an immediate need Forcibly Allocating a Device Forcibly deallocate a device Deallocates a device that is currently allocated to a user Forcibly Deallocating a Device Change the allocation properties of a device Changes the requirements for allocating a device How to Change Which Devices Can Be Allocated Create a device-clean script Purges data from a physical device. Writing New Device-Clean Scripts Disable device allocation Removes allocation restrictions from all devices. How to Disable the Auditing Service Audit device allocation Records device allocation in the audit trail How to Audit Device Allocation addingsecurity to devices Device allocation restricts or prevents access to peripheral devices. Restrictions are enforced at user allocation time. By default, users must have authorization to access allocatable devices.devicesmaking allocatable device allocationmaking device allocatable device allocationenabling addingallocatable device enablingdevice allocation startingdevice allocation If you have already run the bsmconv command to enable auditing, then device allocation is already enabled on your system. For more information, see the bsmconv1M man page. Assume a role that includes the Audit Control rights profile, or become superuser.The Primary Administrator role includes the Audit Control rights profile. You can also assign the Audit Control rights profile to a role that you create. To create the role and assign the role to a user, see Example 9–3. scriptsbsmconv for device allocationdevice allocationenablingenablingdevice allocationEnable device allocation.# bsmconv This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? [y/n] y bsmconv: INFO: checking startup file. bsmconv: INFO: move aside /etc/rc3.d/S81volmgt. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation files. The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled.The Volume Management daemon (/etc/rc3.d/S81volmgt) is disabled by this command. devicesauthorizing users to allocate device allocationauthorizing users to allocate usersassigning allocate authorization to authorizations (RBAC)for allocating device &rolePAstep;Create a rights profile that contains the appropriate authorization and commands.allocate commanduser authorizationauthorizations (RBAC)solaris.device.allocatesecurity attributesusing to mount allocated devicemount commandwith security attributesumount commandwith security attributesTypically, you would create a rights profile that includes the solaris.device.allocate authorization. Follow the instructions in How to Create or Change a Rights Profile. Give the rights profile appropriate properties, such as the following:Rights profile name: Device Allocation Granted authorizations: solaris.device.allocate Commands with security attributes: mount with the sys_mount privilege, and umount with the sys_mount privilege Create a role for the rights profile.Follow the instructions in How to Create and Assign a Role by Using the GUI. Use the following role properties as a guide:Role name: devicealloc Role full name: Device Allocator Role description: Allocates and mounts allocated devices Rights profile: Device AllocationThis rights profile must be at the top of the list of profiles that are included in the role. Assign the role to every user who is permitted to allocate a device. Teach the users how to use device allocation.For examples of allocating removable media, see How to Allocate a Device. daemonsvoldvold daemonturned off by device allocationBecause the Volume Management daemon (vold) is not running, removable media are not automatically mounted. For examples of mounting a device that has been allocated, see How to Mount an Allocated Device. device allocationviewing information devicesviewing allocation information viewingdevice allocation information displayingallocatable devices Device allocation must be enabled for this procedure to succeed. To enable device allocation, see How to Make a Device Allocatable. Assume a role that includes the Device Security rights profile, or become superuser.The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9–3. deviceslisting device namesnaming conventionsdevicesDisplay information about allocatable devices on your system.# list_devices device-namewhere device-name is one of the following:audio[n] – Is a microphone and speaker. fd[n] – Is a diskette drive. sr[n] – Is a CD-ROM drive. st[n] – Is a tape drive. troubleshootinglist_devices commandIf the list_devices command returns an error message similar to the following, then either device allocation is not enabled, or you do not have sufficient permissions to retrieve the information.list_devices: No device maps file entry for specified device.For the command to succeed, enable device allocation and assume a role with the solaris.device.revoke authorization. allocating devicesforcibly devicesforcibly allocating device allocationforcibly allocating devices Forcible allocation is used when someone has forgotten to deallocate a device. Forcible allocation can also be used when a user has an immediate need for a device. The user or role must have the solaris.device.revoke authorization. Determine if you have the appropriate authorizations in your role.$ auths solaris.device.allocate solaris.device.revoke Forcibly allocate the device to the user who needs the device.In this example, the tape drive is forcibly allocated to the user jdoe.$ allocate -U jdoe deallocatingforcibly devicesforcibly deallocating device allocationforcibly deallocating devices Devices that a user has allocated are not automatically deallocated when the process terminates or when the user logs out. Forcible deallocation is used when a user has forgotten to deallocate a device. The user or role must have the solaris.device.revoke authorization. Determine if you have the appropriate authorizations in your role.$ auths solaris.device.allocate solaris.device.revoke Forcibly deallocate the device.In this example, the printer is forcibly deallocated. The printer is now available for allocation by another user.$ deallocate -f /dev/lp/printer-1 changingallocatable devices device allocationchanging allocatable devices device allocationrequiring authorization deviceschanging which are allocatable Assume a role that includes the Device Security rights profile, or become superuser.The Primary Administrator role includes the Device Security rights profile. You can also assign the Device Security rights profile to a role that you create. To create the role and assign the role to a user, see Example 9–3. Specify if authorization is required, or specify the solaris.device.allocate authorization.device_allocate filesampleChange the fifth field in the device entry in the device_allocate file.audio;audio;reserved;reserved;solaris.device.allocate;/etc/security/lib/audio_clean fd0;fd;reserved;reserved;solaris.device.allocate;/etc/security/lib/fd_clean sr0;sr;reserved;reserved;solaris.device.allocate;/etc/security/lib/sr_cleanwhere solaris.device.allocate indicates that a user must have the solaris.device.allocate authorization to use the device. authorizations (RBAC)not requiring for device allocationdevicesnot requiring authorization for usedevice allocationnot requiring authorizationIn the following example, any user on the system can allocate any device. The fifth field in every device entry in the device_allocate file has been changed to an at sign (@).$ whoami devicesec $ vi /etc/security/device_allocate audio;audio;reserved;reserved;@;/etc/security/lib/audio_clean fd0;fd;reserved;reserved;@;/etc/security/lib/fd_clean sr0;sr;reserved;reserved;@;/etc/security/lib/sr_clean … devicespreventing use of some In the following example, the audio device cannot be used. The fifth field in the audio device entry in the device_allocate file has been changed to an asterisk (*).$ whoami devicesec $ vi /etc/security/device_allocate audio;audio;reserved;reserved;*;/etc/security/lib/audio_clean fd0;fd;reserved;reserved;solaris device.allocate;/etc/security/lib/fd_clean sr0;sr;reserved;reserved;solaris device.allocate;/etc/security/lib/sr_clean … device allocationpreventing devicespreventing use of all In the following example, no peripheral device can be used. The fifth field in every device entry in the device_allocate file has been changed to an asterisk (*).$ whoami devicesec $ vi /etc/security/device_allocate audio;audio;reserved;reserved;*;/etc/security/lib/audio_clean fd0;fd;reserved;reserved;*;/etc/security/lib/fd_clean sr0;sr;reserved;reserved;*;/etc/security/lib/sr_clean … devicesauditing allocation of auditingdevice allocation device allocationauditing By default, the device allocation commands are in the other audit class. &rolePAstep;Preselect the ot class for auditing.Add the ot class to the flags line of the audit_control file. The file would appear similar to the following:# audit_control file dir:/var/audit flags:lo,ot minfree:20 naflags:loFor detailed instructions, see How to Modify the audit_control File. task mapsallocating devices task mapsusing device allocation allocating devicestask map usingdevice allocation user proceduresallocating devices device allocationuser procedures device allocationusing devicesallocating for use The following task map points to procedures that show users how to allocate devices.Task Description For Instructions Allocate a device Enables a user to use a device, while preventing any other user from using the device. How to Allocate a Device Mount an allocated device Enables a user to view a device that requires mounting, such as a CD-ROM or a diskette. How to Mount an Allocated Device Deallocate a device Makes an allocatable device available for use by another user. How to Deallocate a Device Device allocation reserves the use of a device to one user at a time. Devices that require a mount point must be mounted.device allocationallocating devices allocating devicesby users usersallocating devices usingdevice allocation usingallocate command allocate commandusing device allocationusing allocate command Device allocation must be enabled, as described in How to Make a Device Allocatable. If authorization is required, the user must have the authorization. Allocate the device.Specify the device by device name.% allocate device-name Verify that the device is allocated.Run the identical command.% allocate device-name allocate. Device already allocated. microphoneallocating In this example, the user jdoe allocates a microphone, audio.% whoami jdoe % allocate audio In this example, a user allocates a printer. No one else can print to printer-1 until the user deallocates it, or until the printer is forcibly allocated to another user.% allocate /dev/lp/printer-1For an example of forcible deallocation, see Forcibly Deallocating a Device. device allocationexamples allocate commandtape drive tape drivesallocating In this example, the user jdoe allocates a tape drive, st0.% whoami jdoe % allocate st0 troubleshootingallocating a deviceIf the allocate command cannot allocate the device, an error message is displayed in the console window. For a list of allocation error messages, see the allocate1 man page. device allocationmounting devices usersmounting allocated devices devicesmounting allocated devices mountingallocated devices The user or role has allocated the device. To mount a device, the user or role must have the privileges that are required for mounting the device. To give the required privileges, see How to Authorize Users to Allocate a Device. Assume a role that can allocate and mount a device.% su - role-name Password: <Type role-name password> $ Create and protect a mount point in the role's home directory.You only need to do this step the first time you need a mount point.$ mkdir mount-point ; chmod 700 mount-point List the allocatable devices.$ list_devices -l List of allocatable devices Allocate the device.Specify the device by device name.$ allocate device-name Mount the device.$ mount -o ro -F filesystem-type device-path mount-pointwhereo roIndicates that the device is to be mounted read-only. Useo rw to indicate that you should be able to write to the device. F filesystem-typeIndicates the file system format of the device. Typically, a CD-ROM is formatted with an HSFS file system. A diskette is typically formatted with a PCFS file system. device-pathIndicates the path to the device. The output of the list_devices -l command includes the device-path. mount-pointIndicates the mount point that you created in Step 2. diskette drivesallocating mountingallocated diskette usingmount commandIn this example, a user assumes a role that can allocate and mount a diskette drive, fd0. The diskette is formatted with a PCFS file system.% roles devicealloc % su - devicealloc Password: <Type devicealloc password> $ mkdir /home/devicealloc/mymnt $ chmod 700 /home/devicealloc/mymnt $ list_devices -l ... device: fd0 type: fd files: /dev/diskette /dev/rdiskette /dev/fd0a ... $ allocate fd0 $ mount -o ro -F pcfs /dev/diskette /home/devicealloc/mymnt $ ls /home/devicealloc/mymnt List of the contents of diskette CD-ROM drivesallocating mountingallocated CD-ROM In this example, a user assumes a role that can allocate and mount a CD-ROM drive, sr0. The drive is formatted as an HSFS file system.% roles devicealloc % su - devicealloc Password: <Type devicealloc password> $ mkdir /home/devicealloc/mymnt $ chmod 700 /home/devicealloc/mymnt $ list_devices -l ... device: sr0 type: sr files: /dev/sr0 /dev/rsr0 /dev/dsk/c0t2d0s0 ... ... $ allocate sr0 $ mount -o ro -F hsfs /dev/sr0 /home/devicealloc/mymnt $ cd /home/devicealloc/mymnt ; ls List of the contents of CD-ROM troubleshootingmounting a deviceIf the mount command cannot mount the device, an error message is displayed: mount: insufficient privileges. Check the following:Make sure that you are executing the mount command in a profile shell. If you have assumed a role, the role has a profile shell. If you are a user who has been assigned a profile with the mount command, you must create a profile shell. The commands pfsh, pfksh, and pfcsh create a profile shell. Make sure that you own the specified mount point. You should have read, write, and execute access to the mount point. Contact your administrator if you still cannot mount the allocated device. device allocationdeallocating devices devicesdeallocating a device deallocatingdevices usersdeallocating devices deallocate commandusing device allocationdeallocate commandusing Deallocation enables other users to allocate and use the device when you are finished. You must have allocated the device. If the device is mounted, unmount the device.$ cd $HOME $ umount mount-point Deallocate the device.$ deallocate device-name microphonedeallocating deallocatingmicrophone usingdeallocate command In this example, the user jdoe deallocates the microphone, audio.% whoami jdoe % deallocate audio usersunmounting allocated devices unmountingallocated devices devicesunmounting allocated device device allocationunmounting allocated device usingumount commandIn this example, the Device Allocator role deallocates a CD-ROM drive. After the message is printed, the CD-ROM is ejected.$ whoami devicealloc $ cd /home/devicealloc $ umount /home/devicealloc/mymnt $ ls /home/devicealloc/mymnt $ $ deallocate sr0 /dev/sr0: 326o /dev/rsr0: 326o … sr_clean: Media in sr0 is ready. Please, label and store safely. device policykernel protection Devices in the Solaris OS are protected by device policy. Peripheral devices can be protected by device allocation. Device policy is enforced by the kernel. Device allocation is optionally enabled, and is enforced at the user level.commandsdevice policy commands devicespolicy commands device policycommandsdevice policyadd_drv commanddevice policyupdate_drv commandDevice management commands administer the device policy on local files. Device policy can include privilege requirements. Only superuser or a role of equivalent capabilities can manage devices.The following table lists the device management commands.Command Purpose Man Page devfsadm commanddescriptiondevfsadm Administers devices and device drivers on a running system. Also loads device policy.The devfsadm command enables the cleanup of dangling /dev links to disk, tape, port, audio, and pseudo devices. Devices for a named driver can also be reconfigured. devfsadm1M getdevpolicy commanddescriptiongetdevpolicy Displays the policy associated with one or more devices. This command can be run by any user. getdevpolicy1M add_drv commanddescriptionadd_drv Adds a new device driver to a running system. Contains options to add device policy to the new device. Typically, this command is called in a script when a device driver is being installed. add_drv1M update_drv commanddescriptionupdate_drv Updates the attributes of an existing device driver. Contains options to update the device policy for the device. Typically, this command is called in a script when a device driver is being installed. update_drv1M rem_drv commanddescriptionrem_drv Removes a device or device driver. rem_drv1M Device allocation can protect your site from loss of data, computer viruses, and other security breaches. Unlike device policy, device allocation is optional. Devices are not allocatable until the bsmconv script is run. Device allocation uses authorizations to limit access to allocatable devices.device allocationcomponents of mechanism componentsdevice allocation mechanism The components of the device allocation mechanism are as follows:The allocate, deallocate, dminfo, and list_devices commands. For more information, see Device Allocation Commands. Device-clean scripts for each allocatable device. These commands and scripts use the following local files to implement device allocation:The /etc/security/device_allocate file. For more information, see the device_allocate4 man page. The /etc/security/device_maps file. For more information, see the device_maps4 man page. A lock file, in the /etc/security/dev directory, for each allocatable device. The changed attributes of the lock files that are associated with each allocatable device. The /etc/security/dev directory might not be supported in future releases of the Solaris OS. device allocationcommandscommandsdevice allocation commandsWith uppercase options, the allocate, deallocate, and list_devices commands are administrative commands. Otherwise, these commands are user commands. The following table lists the device allocation commands.Command Purpose Man Page bsmconv Creates databases to handle device allocation. Also enables the auditing service. You must be superuser or in the Primary Administrator role. bsmconv1M dminfo Searches for an allocatable device by device type, by device name, and by full path name. dminfo1M list_devices commanddescriptionlist_devices Lists the status of allocatable devices.Lists all the device-special files that are associated with any device that is listed in the device_maps file. list_devices1 U optionlist_devices commandlist_devices -U Lists the devices that are allocatable or allocated to the specified user ID. This option allows you to check which devices are allocatable or allocated to another user. You must have the solaris.device.revoke authorization. device allocationallocate commandallocate commanddescriptionallocate Reserves an allocatable device for use by one user.authorizations (RBAC)solaris.device.allocateBy default, a user must have the solaris.device.allocate authorization to allocate a device. You can modify the device_allocate file to not require user authorization. Then, any user on the system can request the device to be allocated for use. allocate1 device allocationdeallocate commanddeallocate commanddescriptiondeallocate Removes the allocation reservation from a device. deallocate1 device allocationauthorizations for commands authorizations (RBAC)for device allocation By default, users must have the solaris.device.allocate authorization to reserve an allocatable device. To create a rights profile to include the solaris.device.allocate authorization, see How to Authorize Users to Allocate a Device.allocate commandauthorizations fordeallocate commandauthorizations forlist_devices commandauthorizations forsolaris.device.revoke authorizationauthorizations (RBAC)solaris.device.revokeU optionallocate commandAdministrators must have the solaris.device.revoke authorization to change the allocation state of any device. For example, the U option to the allocate and list_devices commands, and the F option to the deallocate command require the solaris.device.revoke authorization.For more information, see Commands That Require Authorizations. allocate error state device allocationallocate error state errorsallocate error state deallocate commandallocate error state F optiondeallocate command A device is put in an allocate error state when the deallocate command fails to deallocate, or when the allocate command fails to allocate. When an allocatable device is in an allocate error state, then the device must be forcibly deallocated. Only superuser or a role with the Device Management rights profile or the Device Security rights profile can handle an allocate error state.deallocate commandallocate error stateallocate commandallocate error stateThe deallocate command with the F option forces deallocation. Or, you can use allocate -U to assign the device to a user. Once the device is allocated, you can investigate any error messages that appear. After any problems with the device are corrected, you can forcibly deallocate it. device allocationdevice_maps file /etc/security/bsmconv script bsmconv scriptcreating device_maps file configuration filesdevice_maps filedevice allocationconfiguration filedevice_maps filedescription/etc/security/device_maps fileDevice maps are created when you set up device allocation. A default /etc/security/device_maps file is created by the bsmconv command when the auditing service is enabled. This initial device_maps file can be customized for your site. The device_maps file includes the device names, device types, and device-special files that are associated with each allocatable device.dminfo commandThe device_maps file defines the device-special file mappings for each device, which in many cases is not intuitive. This file allows programs to discover which device-special files map to which devices. You can use the dminfo command, for example, to retrieve the device name, the device type, and the device-special files to specify when you set up an allocatable device. The dminfo command uses the device_maps file to report this information.device_maps fileformatEach device is represented by a one-line entry of the form:device-name:device-type:device-listdevice_maps filesample entriesThe following is an example of an entry in a device_maps file for a diskette drive, fd0:fd0:\ fd:\ /dev/diskette /dev/rdiskette /dev/fd0a /dev/rfd0a \ /dev/fd0b /dev/rfd0b /dev/fd0c /dev/fd0 /dev/rfd0c /dev/rfd0:\ \ (backslash)device_maps file# (pound sign)device_maps filepound sign (#)device_maps file\ (backslash)device_maps fileLines in the device_maps file can end with a backslash (\) to continue an entry on the next line. Comments can also be included. A pound sign (#) comments all subsequent text until the next newline that is not immediately preceded by a backslash. Leading and trailing blanks are allowed in any field. The fields are defined as follows:device-namenamesdevice namesdevice_maps fileSpecifies the name of the device. For a list of current device names, see How to View Allocation Information About a Device. device-typeSpecifies the generic device type. The generic name is the name for the class of devices, such as st, fd, or audio. The device-type field logically groups related devices. device-listLists the device-special files that are associated with the physical device. The device-list must contain all of the special files that allow access to a particular device. If the list is incomplete, a malevolent user can still obtain or modify private information. Valid entries for the device-list field reflect the device files that are located in the /dev directory. device allocationdevice_allocate file device_allocate filedescription device_allocate filesample/etc/security/device_allocate fileAn initial /etc/security/device_allocate file is created by the bsmconv command when the auditing service is enabled. This initial device_allocate file can be used as a starting point. You can modify the device_allocate file to change devices from allocatable to nonallocatable, or to add new devices. A sample device_allocate file follows.st0;st;;;;/etc/security/lib/st_clean fd0;fd;;;;/etc/security/lib/fd_clean sr0;sr;;;;/etc/security/lib/sr_clean audio;audio;;;*;/etc/security/lib/audio_cleansemicolon (;)device_allocate file; (semicolon)device_allocate file* (asterisk)device_allocate fileasterisk (*)device_allocate fileAn entry in the device_allocate file does not mean that the device is allocatable, unless the entry specifically states that the device is allocatable. In the sample device_allocate file, note the asterisk (*) in the fifth field of the audio device entry. An asterisk in the fifth field indicates to the system that the device is not allocatable. Therefore, the device cannot be used. Other values or no value in this field indicates that the device can be used.device_allocate fileformatIn the device_allocate file, each device is represented by a one-line entry of the form:device-name;device-type;reserved;reserved;auths;device-exec\ (backslash)device_allocate file# (pound sign)device_allocate filepound sign (#)device_allocate file\ (backslash)device_allocate fileLines in the device_allocate file can end with a backslash (\) to continue an entry on the next line. Comments can also be included. A pound sign (#) comments all subsequent text until the next newline that is not immediately preceded by a backslash. Leading and trailing blanks are allowed in any field. The fields are defined as follows:device-namenamesdevice namesdevice_maps fileSpecifies the name of the device. For a list of current device names, see How to View Allocation Information About a Device. device-typeSpecifies the generic device type. The generic name is the name for the class of devices, such as st, fd, and sr. The device-type field logically groups related devices. When you make a device allocatable, retrieve the device name from the device-type field in the device_maps file. reservedSun reserves the two fields that are marked reserved for future use. auths* (asterisk)device_allocate fileasterisk (*)device_allocate file@ (at sign)device_allocate fileat sign (@)device_allocate fileSpecifies whether the device is allocatable. An asterisk (*) in this field indicates that the device is not allocatable. An authorization string, or an empty field, indicates that the device is allocatable. For example, the string solaris.device.allocate in the auths field indicates that the solaris.device.allocate authorization is required to allocate the device. An at sign (@) in this file indicates that the device is allocatable by any user. device-execSupplies the path name of a script to be invoked for special handling, such as cleanup and object-reuse protection during the allocation process. The device-exec script is run any time that the device is acted on by the deallocate command. For example, the following entry for the sr0 device indicates that the CD-ROM drive is allocatable by a user with the solaris.device.allocate authorization:sr0;sr;reserved;reserved;solaris.device.allocate;/etc/security/lib/sr_cleandevice allocationallocatable devicesdevice-clean scriptstape drivesscriptsdevice-clean scriptsdevice-clean scriptsYou can decide to accept the default devices and their defined characteristics. After you install a new device, you can modify the entries. Any device that needs to be allocated before use must be defined in the device_allocate and device_maps files for that device's system. Currently, cartridge tape drives, diskette drives, CD-ROM drives, and audio chips are considered allocatable. These device types have device-clean scripts.device-clean scriptstape drivesArchive tape drive device-clean scriptXylogics tape drive device-clean scriptdevice allocationdevice-clean scriptstape drivesSCSI devicesst_clean scriptst_clean scriptfor tape drivesdevice allocationallocatable devicesobject reuse requirementsdevice-clean scriptstape drivestape drivesdevice-clean scriptsXylogics tape drives or Archive tape drives also use the st_clean script that is supplied for SCSI devices. You need to create your own device-clean scripts for other devices, such as modems, terminals, graphics tablets, and other allocatable devices. The script must fulfill object-reuse requirements for that type of device. securityprotecting devices device allocationdevice-clean scriptsdescription device-clean scriptsdescription scriptsfor cleaning devices object reuse requirementsfor devices device-clean scriptsand object reuse Device allocation satisfies part of what is called the object reuse requirement. The device-clean scripts address the security requirement that all usable data be purged from a physical device before reuse. The data is cleared before the device is allocatable by another user. By default, cartridge tape drives, diskette drives, CD-ROM drives, and audio devices require device-clean scripts. The Solaris OS provides the scripts. This section describes what device-clean scripts do.device allocationdevice-clean scriptstape drives device-clean scriptstape drives tape drivescleaning of data st_clean scriptdescription The st_clean device-clean script supports three tape devices:SCSI ¼-inch tape Archive ¼-inch tape Open-reel ½-inch tape rewoffl optionmt commandtape device cleanup andmt commandtape device cleanup andThe st_clean script uses the rewoffl option to the mt command to clean up the device. For more information, see the mt1 man page. If the script runs during system boot, the script queries the device to determine if the device is online. If the device is online, the script determines if the device has media in it. The ¼-inch tape devices that have media in them are placed in the allocate error state. The allocate error state forces the administrator to manually clean up the device.During normal system operation, when the deallocate command is executed in interactive mode, the user is prompted to remove the media. Deallocation is delayed until the media is removed from the device. CD-ROM drivessecurity device allocationdevice-clean scriptsCD-ROM drives device allocationdevice-clean scriptsdiskette drives device-clean scriptsCD-ROM drives device-clean scriptsdiskette drives diskette drivesdevice-clean scripts The following device-clean scripts are provided for diskettes and CD-ROM drives:fd_clean scriptdescriptionfd_clean script – Is a device-clean script for diskettes. sr_clean scriptdescriptionsr_clean script – Is a device-clean script for CD-ROM drives. eject commanddevice cleanup andThe scripts use the eject command to remove the media from the drive. If the eject command fails, the device is placed in the allocate error state. For more information, see the eject1 man page. system callsioctl to clean audio device audio devicessecurity device allocationdevice-clean scriptsaudio devices device-clean scriptsaudio devices ioctl system callsAUDIO_SETINFO Audio devices are cleaned up with an audio_clean script. The script performs an AUDIO_GETINFO ioctl system call to read the device. The script then performs an AUDIO_SETINFO ioctl system call to reset the device configuration to the default. device allocationdevice-clean scriptswriting new scripts device-clean scriptswriting new scripts object reuse requirementsdevice-clean scriptswriting new scripts creatingnew device-clean scripts deallocate commanddevice-clean scripts and device allocationdeallocate commanddevice-clean scripts and If you add more allocatable devices to the system, you might need to create your own device-clean scripts. The deallocate command passes a parameter to the device-clean scripts. The parameter, which is shown here, is a string that contains the device name. For more information, see the device_allocate4 man page.clean-script -[I|i|f|S] device-namedevice allocationdevice-clean scriptsoptionsdevice-clean scriptsoptionsDevice-clean scripts must return “0” for success and greater than “0” for failure. The options I, f, and S determine the running mode of the script:II optionst_clean scriptIs needed during system boot only. All output must go to the system console. Failure or inability to forcibly eject the media must put the device in the allocate error state. ii optionst_clean scriptSimilar to the I option, except that output is suppressed. ff optionst_clean scriptforced cleanupst_clean scriptIs for forced cleanup. The option is interactive and assumes that the user is available to respond to prompts. A script with this option must attempt to complete the cleanup if one part of the cleanup fails. SS optionst_clean scriptstandard cleanupst_clean scriptIs for standard cleanup. The option is interactive and assumes that the user is available to respond to prompts.