This chapter contains tasks that are commonly performed on a system that is configured with Solaris Trusted Extensions. tasks and task mapsCommon Tasks in Trusted Extensions (Task Map) Common Tasks in Trusted Extensions (Task Map) The following task map describes procedures that set up a working environment for administrators of Trusted Extensions.Task Description For Instructions Change the editor program for the trusted editor. Specify the editor for administrative files. How to Assign the Editor of Your Choice as the Trusted Editor Change the password for root. Specify a new password for the root user, or for the root role. How to Change the Password for root Change the password for a role. Specifies a new password for your current role. Example 11–2 Use the Secure Attention key combination. Gets control of the mouse or keyboard. Also, tests whether the mouse or keyboard is trusted. How to Regain Control of the Desktop's Current Focus Determine the hexadecimal number for a label. Displays the internal representation for a text label. How to Obtain the Hexadecimal Equivalent for a Label Determine the text representation for a label. Displays the text representation for a hexadecimal label. How to Obtain a Readable Label From Its Hexadecimal Form Edit system files. Securely edits Solaris or Trusted Extensions system files. How to Change Security Defaults in System Files Allocate a device. Uses a peripheral device to add information to or remove information from the system. How to Allocate a Device in Trusted Extensions in Solaris Trusted Extensions User’s Guide Administer a host remotely. Administers Solaris or Trusted Extensions hosts from a remote host. Chapter 14, Remote Administration in Trusted Extensions (Tasks) trusted editorassigning your favorite editor assigningeditor as the trusted editor The trusted editor uses the value of the $EDITOR environment variable as its editor. You must be in a role in the global zone. Determine the value of the $EDITOR variable.# echo $EDITORThe following are editor possibilities. The $EDITOR variable might also not be set./usr/dt/bin/dtpad – Is the editor that CDE provides. /usr/bin/gedit – Is the editor that GNOME provides. Trusted GNOME is the trusted version of that desktop. /usr/bin/vi – Is the visual editor. Set the value of the $EDITOR variable.To set the value permanently, modify the value in the shell initialization file for the role.For example, in the role's home directory, modify the .kshrc file for a Korn shell, and the .cshrc file for a C shell. To set the value for the current shell, set the value in the terminal window.For example, in a Korn shell, use the following commands:# setenv EDITOR=pathname-of-editor # export $EDITORIn a C shell, use the following command:# setenv EDITOR=pathname-of-editorIn a Bourne shell, use the following commands:# EDITOR=pathname-of-editor # export EDITOR The Security Administrator role wants to use vi when editing system files. A user who has assumed the role modifies the .kshrc initialization file in the role's home directory.$ cd /home/secadmin $ vi .kshrc ## Interactive shell set -o vi ... export EDITOR=viThe next time that any user assumes the Security Administrator role, vi is the trusted editor. Change Password menu itemusing to change root password passwordsChange Password menu item passwordschanging for root The Security Administrator role is authorized to change any account's password at any time by using the Solaris Management Console. However, the Solaris Management Console cannot change the password of a system account. A system account is an account whose UID is below 100. root is a system account because its UID is 0. Become superuser.If your site has made superuser into the root role, assume the root role. Choose Change Password from the Trusted Path menu. The illustration shows the Trusted Path menu. Change the password, and confirm the change. Any user who can assume a role that is defined in LDAP can use the Trusted Path menu to change the password for the role. The password is then changed in LDAP for all users who attempt to assume the role.As in the Solaris OS, the Primary Administrator role can change the password for a role by using the Solaris Management Console. In Trusted Extensions, the Security Administrator role can change another role's password by using the Solaris Management Console. hot keyregaining control of desktop focus key combinationstesting if grab is trusted regaining control of desktop focus restoring control of desktop focus usersrestoring control of desktop focus trusted grabkey combination secure attentionkey combination The “Secure Attention” key combination can be used to break a pointer grab or a keyboard grab by an untrusted application. The key combination can also be used to verify if a pointer or a keyboard has been grabbed by a trusted application. On a multiheaded system that has been spoofed to display more than one trusted stripe, this key combination warps the pointer to the authorized trusted stripe. To regain control of a Sun keyboard, use the following key combination.Press the keys simultaneously to regain control of the current desktop focus. On the Sun keyboard, the diamond is the Meta key.<Meta> <Stop>If the grab, such as a pointer, is not trusted, the pointer moves to the stripe. A trusted pointer does not move to the trusted stripe. If you are not using a Sun keyboard, use the following key combination.<Alt> <Break>Press the keys simultaneously to regain control of the current desktop focus on your laptop. passwordstesting if password prompt is trusted On an x86 system that is using a Sun keyboard, the user has been prompted for a password. The cursor has been grabbed, and is in the password dialog box. To check that the prompt is trusted, the user presses the <Meta> <Stop> keys simultaneously. When the pointer remains in the dialog box, the user knows that the password prompt is trusted.If the pointer had moved to the trusted stripe, the user would know that the password prompt could not be trusted, and contact the administrator. trusted stripewarping pointer to In this example, a user is not running any trusted processes but cannot see the mouse pointer. To bring the pointer to the center of the trusted stripe, the user presses the <Meta> <Stop> keys simultaneously. atohexlabel command labelsdisplaying in hexadecimal findinglabel equivalent in hexadecimal This procedure provides an internal hexadecimal representation of a label. This representation is safe for storing in a public directory. For more information, see the atohexlabel1M man page. You must be in the Security Administrator role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions. To obtain a hexadecimal value for a label, do one of the following.To obtain the hexadecimal value for a sensitivity label, pass the label to the command.$ atohexlabel "CONFIDENTIAL : NEED TO KNOW" 0x0004-08-68 To obtain the hexadecimal value for a clearance, use the c option.$ atohexlabel -c "CONFIDENTIAL NEED TO KNOW" 0x0004-08-68Human readable sensitivity labels and clearance labels are formed according to rules in the label_encodings file. Each type of label uses rules from a separate section of this file. When a sensitivity label and a clearance label both express the same underlying level of sensitivity, the labels have identical hexadecimal forms. However, the labels can have different human readable forms. System interfaces that accept human readable labels as input expect one type of label. If the text strings for the label types differ, these text strings cannot be used interchangeably.In the default label_encodings file, the text equivalent of a clearance label does not include a colon (:). When you pass a valid label in hexadecimal format, the command returns the argument.$ atohexlabel 0x0004-08-68 0x0004-08-68When you pass an administrative label, the command returns the argument.$ atohexlabel admin_high ADMIN_HIGH atohexlabel admin_low ADMIN_LOW The error message atohexlabel parsing error found in <string> at position 0 indicates that the <string> argument that you passed to atohexlabel was not a valid label or clearance. Check your typing, and check that the label exists in your installed label_encodings file. hextoalabel command text label equivalentsdetermining labelsdetermining text equivalents labelstroubleshooting labelsrepairing in internal databases troubleshootingrepairing labels in internal databases repairinglabels in internal databases findinglabel equivalent in text format This procedure provides a way to repair labels that are stored in internal databases. For more information, see the hextoalabel1M man page. You must be in the Security Administrator role in the global zone. To obtain the text equivalent for an internal representation of a label, do one of the following.To obtain the text equivalent for a sensitivity label, pass the hexadecimal form of the label.$ hextoalabel 0x0004-08-68 CONFIDENTIAL : NEED TO KNOW To obtain the text equivalent for a clearance, use the c option.$ hextoalabel -c 0x0004-08-68 CONFIDENTIAL NEED TO KNOW administeringsystem files editingsystem files system filesediting changingsystem security defaults enablingkeyboard shutdown keyboard shutdownenabling Stop-Aenabling policy.conf file /etc/security/policy.conf filehow to edit /etc/default/kbd filehow to edit /etc/default/login filehow to edit /etc/default/passwd filehow to edit filespolicy.conf files/etc/default/kbd files/etc/default/login files/etc/default/passwd In Trusted Extensions, the security administrator changes or accesses default security settings on a system. Files in the /etc/security and /etc/default directories contain security settings. On a Solaris system, superuser can edit these files. For Solaris security information, see Chapter 3, Controlling Access to Systems (Tasks), in System Administration Guide: Security Services.Relax system security defaults only if site security policy allows you to. You must be in the Security Administrator role in the global zone. Use the trusted editor to edit the system file.For details, see How to Edit Administrative Files in Trusted Extensions.File Task For More Information /etc/default/login Reduce the allowed number of password tries. See the example under How to Monitor All Failed Login Attempts in System Administration Guide: Security Services.passwd1 man page /etc/default/kbd Disable keyboard shutdown. How to Disable a System’s Abort Sequence in System Administration Guide: Security ServicesOn hosts that are used by administrators for debugging, the default setting for KEYBOARD_ABORT allows access to the kadb kernel debugger. For more information about the debugger, see the kadb1M man page. /etc/security/policy.conf Require a more powerful algorithm for user passwords.Remove a basic privilege from all users of this host.Restrict users of this host to Basic Solaris User authorizations. policy.conf4 man page /etc/default/passwd Require users to change passwords frequently.Require users to create maximally different passwords.Require a longer user password.Require a password that cannot be found in your dictionary. passwd1 man page