administeringdevices devicesadministering This chapter describes how to administer and use devices on a system that is configured with Solaris Trusted Extensions.Handling Devices in Trusted Extensions (Task Map) Using Devices in Trusted Extensions (Task Map) Managing Devices in Trusted Extensions (Task Map) Customizing Device Authorizations in Trusted Extensions (Task Map) tasks and task mapsHandling Devices in Trusted Extensions (Task Map) Handling Devices in Trusted Extensions (Task Map) The following task map points to task maps for administrators and users for handling peripheral devices.Task Description For Instructions Use devices. Uses a device as a role or as a regular user. Using Devices in Trusted Extensions (Task Map) Administer devices. Configures devices for ordinary users. Managing Devices in Trusted Extensions (Task Map) Customize device authorizations. The Security Administrator role creates new authorizations, adds them to the device, places them in a rights profile and assigns this profile to the user. Customizing Device Authorizations in Trusted Extensions (Task Map) usersusing devices devicesusing tasks and task mapsUsing Devices in Trusted Extensions (Tasks Map) Using Devices in Trusted Extensions (Task Map) In Trusted Extensions, all roles are authorized to allocate a device. Like users, roles must use the Device Allocation Manager. The Solaris allocate command does not work in Trusted Extensions. The following task map points to user procedures that include using devices to perform administrative tasks.Task For Instructions Allocate and deallocate a device. How to Allocate a Device in Trusted Extensions in Solaris Trusted Extensions User’s GuideWorkspace Switch Area in Solaris Trusted Extensions User’s Guide Use portable media to transfer files. How to Copy Files From Portable Media in Trusted ExtensionsHow to Copy Files to Portable Media in Trusted Extensions tasks and task mapsManaging Devices in Trusted Extensions (Task Map) Managing Devices in Trusted Extensions (Task Map) administeringdevices The following task map describes procedures to protect devices at your site.Task Description For Instructions Set or modify device policy. Changes the privileges that are required to access a device. Configuring Device Policy (Task Map) in System Administration Guide: Security Services Authorize users to allocate a device. The Security Administrator role assigns a profile with the Allocate Device authorization to the user. How to Authorize Users to Allocate a Device in System Administration Guide: Security Services The Security Administrator role assigns a profile with the site-specific authorizations to the user. Customizing Device Authorizations in Trusted Extensions (Task Map) Configure a device. Chooses security features to protect the device. How to Configure a Device in Trusted Extensions Revoke or reclaim a device. Uses the Device Allocation Manager to make a device available for use. How to Revoke or Reclaim a Device in Trusted Extensions Uses Solaris commands to make a device available or unavailable for use. Forcibly Allocating a Device in System Administration Guide: Security ServicesForcibly Deallocating a Device in System Administration Guide: Security Services Prevent access to an allocatable device. Provides fine–grained access control to a device. Example 23–4 Denies everyone access to an allocatable device. Example 23–1 Protect printers and frame buffers. Ensures that nonallocatable devices are not allocatable. How to Protect Nonallocatable Devices in Trusted Extensions Configure serial login devices. Enables logins by serial port. How to Configure a Serial Line for Logins Enable a CD player program to be used. Enables an audio player program to open automatically when a music CD is inserted. How to Configure an Audio Player Program for Use in Trusted CDE Prevent the File Manager from displaying. Prevents the File Manager from displaying after a device has been allocated. How to Prevent the File Manager From Displaying After Device Allocation Use a new device-clean script. Places a new script in the appropriate places. How to Add a Device_Clean Script in Trusted Extensions configuringdevices devicesconfiguring devices devicesadministering with Device Allocation Manager Device Allocation Manageruse by administrators Security Administrator roleconfiguring a device By default, an allocatable device has a label range from ADMIN_LOW to ADMIN_HIGH and must be allocated for use. Also, users must be authorized to allocate the device. These defaults can be changed. You must be in the Security Administrator role in the global zone. From the Trusted Path menu, select Allocate Device.The Device Allocation Manager appears. Dialog box titled Device Allocation Administration shows the default security settings for an audio device for an ordinary user. View the default security settings.Click Device Administration, then highlight the device. The following figure shows a CD-ROM drive with default security settings. Dialog box titled Device Allocation Configuration shows the default security settings for a CD-ROM drive. Restrict the label range on the device.Set the minimum label.Click the Min Label... button. Choose a minimum label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions. Set the maximum label.Click the Max Label... button. Choose a maximum label from the label builder. Specify if the device can be allocated locally.In the Device Allocation Configuration dialog box, under For Allocations From Trusted Path, select an option from the Allocatable By list. By default, the Authorized Users option is checked. Therefore, the device is allocatable and users must be authorized.To make the device nonallocatable, click No Users.When configuring a printer, frame buffer, or other device that must not be allocatable, select No Users. To make the device allocatable, but to not require authorization, click All Users. Specify if the device can be allocated remotely.In the For Allocations From Non-Trusted Path section, select an option from the Allocatable By list. By default, the Same As Trusted Path option is checked.To require user authorization, select Allocatable by Authorized Users. To make the device nonallocatable by remote users, select No Users. To make the device allocatable by anyone, select All Users. If the device is allocatable, and your site has created new device authorizations, select the appropriate authorization.The following dialog box shows the solaris.device.allocate authorization is required to allocate the cdrom0 device. Dialog box titled Device Allocation Authorizations shows the authorizations of a device. To create and use site-specific device authorizations, see Customizing Device Authorizations in Trusted Extensions (Task Map). To save your changes, click OK. deallocatingforcing devicesreclaiming System Administrator rolereclaiming a device troubleshootingreclaiming a device devicestroubleshooting allocate error statecorrecting If a device is not listed in the Device Allocation Manager, it might already be allocated or it might be in an allocate error state. The system administrator can recover the device for use. You must be in the System Administrator role in the global zone. This role includes the solaris.device.revoke authorization. From the Trusted Path menu, select Allocate Device.In the following figure, the audio device is already allocated to a user. Dialog box titled Device Allocation Administration shows the devices that can be administered, and the allocation status of the audio device. Click the Device Administration button. Check the status of a device.Select the device name and check the State field.If the State field is Allocate Error State, click the Reclaim button. If the State field is Allocated, do one of the following:Ask the user in the Owner field to deallocate the device. Force deallocation of the device by clicking the Revoke button. Close the Device Allocation Manager. devicesprotecting nonallocatable nonallocatable devicesprotecting Security Administrator roleprotecting nonallocatable devices protectingnonallocatable devices The No Users option in the Allocatable By section of the Device Configuration dialog box is used most often for the frame buffer and printer, which do not have to be allocated to be used. You must be in the Security Administrator role in the global zone. From the Trusted Path menu, select Allocate Device. In the Device Allocation Manager, click the Device Administration button. Select the new printer or frame buffer.To make the device nonallocatable, click No Users. Restrict the label range on the device.Set the minimum label.Click the Min Label... button. Choose a minimum label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions. Set the maximum label.Click the Max Label... button. Choose a maximum label from the label builder. protectingdevices from remote allocationaudio devicespreventing remote allocationdevicespreventing remote allocation of audioThe No Users option in the Allocatable By section prevents remote users from hearing conversations around a remote system.The security administrator configures the audio device in the Device Allocation Manager as follows:Device Name: audio For Allocations From: Trusted Path Allocatable By: Authorized Users Authorizations: solaris.device.allocateDevice Name: audio For Allocations From: Non-Trusted Pathh Allocatable By: No Users devicesconfiguring serial line serial lineconfiguring for logins loginconfiguring serial line Security Administrator roleconfiguring serial line for login administeringserial line for login configuringserial line for login You must be in the Security Administrator role in the global zone. Open the Solaris Management Console in the Files scope.

Window shows the Navigation pane of the Trusted Extensions toolbox in Files scope. The Devices and Hardware node is visible.

Under Devices and Hardware, navigate to Serial Ports.Provide a password when prompted. Follow the online help to configure the serial port. To change the default label range, open the Device Allocation Manager.The default label range is ADMIN_LOW to ADMIN_HIGH. After creating a serial login device, the security administrator restricts the label range of the serial port to a single label, Public. The administrator sets the following values in the Device Administration dialog boxes.Device Name: /dev/term/[a|b] Device Type: tty Clean Program: /bin/true Device Map: /dev/term/[a|b] Minimum Label: Public Maximum Label: Public Allocatable By: No Users devicessetting up audio devicesautomatically starting an audio player audio devicesautomatically starting an audio player CD-ROM drivesplaying music automatically System Administrator roleenabling music to play automatically /etc/rmmount.conf file rmmount.conf file files/etc/rmmount.conf administeringaudio device to play music configuringaudio device to play music The following procedure enables an audio player to open automatically in a Trusted CDE workspace when a user inserts a music CD. For the user's procedure, see the example in How to Allocate a Device in Trusted Extensions in Solaris Trusted Extensions User’s Guide.In a Trusted GNOME workspace, users specify the behavior of removable media just as they specify it in a non-trusted workspace. You must be in the System Administrator role in the global zone. Edit the /etc/rmmount.conf file.Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions. Add your site's CD player program to the cdrom action in the file.action media action_program.so path-to-program In the following example, the system administrator makes the workman program available to all users of a system. The workman program is an audio player program.# /etc/rmmount.conf file action cdrom action_workman.so /usr/local/bin/workman File Managerpreventing display after device allocation device allocationpreventing File Manager display System Administrator rolepreventing File Manager display /etc/rmmount.conf file rmmount.conf file By default, the File Manager displays when a device is mounted. If you are not mounting devices that have file systems, you might want to prevent the File Manager from displaying. You must be in the System Administrator role in the global zone. Edit the /etc/rmmount.conf file.Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions. Find the following filemgr actions:action cdrom action_filemgr.so action floppy action_filemgr.so Comment out the appropriate action.The following example shows the action_filemgr.so actions commented out for both the cdrom and diskette devices.# action cdrom action_filemgr.so # action floppy action_filemgr.soWhen a CDROM or diskette is allocated, the File Manager does not display. System Administrator roleadding device_clean script devicesadding device_clean script device-clean scriptsadding to devices If no device_clean script is specified at the time a device is created, the default script, /bin/true, is used. Have ready a script that purges all usable data from the physical device and that returns 0 for success. For devices with removable media, the script attempts to eject the media if the user does not do so. The script puts the device into the allocate error state if the medium is not ejected. For details about the requirements, see the device_clean5 man page.You must be in the System Administrator role in the global zone. Copy the script into the /etc/security/lib directory. In the Device Administration dialog box, specify the full path to the script.Open the Device Allocation Manager. Click the Device Administration button. Select the name of the device, and click the Configure button. In the Clean Program field, type the full path to the script. Save your changes. tasks and task mapsCustomizing Device Authorizations in Trusted Extensions (Task Map) Customizing Device Authorizations in Trusted Extensions (Task Map) The following task map describes procedures to change device authorizations at your site.Task Description For Instructions Create new device authorizations. Creates site-specific authorizations. How to Create New Device Authorizations Add authorizations to a device. Adds site-specific authorizations to selected devices. How to Add Site-Specific Authorizations to a Device in Trusted Extensions Assign device authorizations to users and roles. Enables users and roles to use the new authorizations. How to Assign Device Authorizations devicescreating new authorizations authorizationsadding new device authorizations administeringdevice authorizations configuringauthorizations for devices creatingauthorizations for devices If no authorization is specified at the time a device is created, by default, all users can use the device. If an authorization is specified, then, by default, only authorized users can use the device.To prevent all access to an allocatable device without using authorizations, see Example 23–1. You must be in the Security Administrator role in the global zone. Edit the auth_attr file.Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions. Create a heading for the new authorizations.Use the reverse-order Internet domain name of your organization followed by optional additional arbitrary components, such as the name of your company. Separate components by dots. End heading names with a dot.domain-suffix.domain-prefix.optional.:::Company Header::help=Company.html Add new authorization entries.Add the authorizations, one authorization per line. The lines are split for display purposes. The authorizations include grant authorizations that enable administrators to assign the new authorizations.domain-suffix.domain-prefix.grant:::Grant All Company Authorizations:: help=CompanyGrant.html domain-suffix.domain-prefix.grant.device:::Grant Company Device Authorizations:: help=CompanyGrantDevice.html domain-suffix.domain-prefix.device.allocate.tape:::Allocate Tape Device:: help=CompanyTapeAllocate.html domain-suffix.domain-prefix.device.allocate.floppy:::Allocate Floppy Device:: help=CompanyFloppyAllocate.html Save the file and close the editor. If you are using LDAP as your naming service, update the auth_attr entries on the Sun Java System Directory Server (LDAP server).For information, see the ldapaddent1M man page. Add the new authorizations to the appropriate rights profiles. Then assign the profiles to users and roles.Use the Solaris Management Console. Assume the Security Administrator role, then follow the Solaris procedure How to Create or Change a Rights Profile in System Administration Guide: Security Services. Use the authorization to restrict access to tape and diskette drives.Add the new authorizations to the list of required authorizations in the Device Allocation Manager. For the procedure, see How to Add Site-Specific Authorizations to a Device in Trusted Extensions. authorizationscreating customized device authorizations A security administrator for NewCo needs to construct fine-grained device authorizations for the company.First, the administrator writes the following help files, and places the files in the /usr/lib/help/auths/locale/C directory:Newco.html NewcoGrant.html NewcoGrantDevice.html NewcoTapeAllocate.html NewcoFloppyAllocate.htmlNext, the administrator adds a header for all of the authorizations for newco.com in the auth_attr file.# auth_attr file com.newco.:::NewCo Header::help=Newco.htmlNext, the administrator adds authorization entries to the file:com.newco.grant:::Grant All NewCo Authorizations:: help=NewcoGrant.html com.newco.grant.device:::Grant NewCo Device Authorizations:: help=NewcoGrantDevice.html com.newco.device.allocate.tape:::Allocate Tape Device:: help=NewcoTapeAllocate.html com.newco.device.allocate.floppy:::Allocate Floppy Device:: help=NewcoFloppyAllocate.htmlThe lines are split for display purposes.The auth_attr entries create the following authorizations:An authorization to grant all NewCo's authorizations An authorization to grant NewCo's device authorizations An authorization to allocate a tape drive An authorization to allocate a diskette drive authorizationscreating local and remote device authorizations rights profileswith new device authorizations By default, the Allocate Devices authorization enables allocation from the trusted path and from outside the trusted path.In the following example, site security policy requires restricting remote CD-ROM allocation. The security administrator creates the com.someco.device.cdrom.local authorization. This authorization is for CD-ROM drives that are allocated with the trusted path. The com.someco.device.cdrom.remote authorization is for those few users who are allowed to allocate a CD-ROM drive outside the trusted path.The security administrator creates the help files, adds the authorizations to the auth_attr database, adds the authorizations to the devices, and then places the authorizations in rights profiles. The profiles are assigned to users who are allowed to allocate devices.The following are the auth_attr database entries:com.someco.:::SomeCo Header::help=Someco.html com.someco.grant:::Grant All SomeCo Authorizations:: help=SomecoGrant.html com.someco.grant.device:::Grant SomeCo Device Authorizations:: help=SomecoGrantDevice.html com.someco.device.cdrom.local:::Allocate Local CD-ROM Device:: help=SomecoCDAllocateLocal.html com.someco.device.cdrom.remote:::Allocate Remote CD-ROM Device:: help=SomecoCDAllocateRemote.html The following is the Device Allocation Manager assignment:The Trusted Path enables authorized users to use the Device Allocation Manager when allocating the local CD-ROM drive.Device Name: cdrom_0 For Allocations From: Trusted Path Allocatable By: Authorized Users Authorizations: com.someco.device.cdrom.localThe Non-Trusted Path enables users to allocate a device remotely by using the allocate command.Device Name: cdrom_0 For Allocations From: Non-Trusted Path Allocatable By: Authorized Users Authorizations: com.someco.device.cdrom.remote The following are the rights profile entries:# Local Allocator profile com.someco.device.cdrom.local # Remote Allocator profile com.someco.device.cdrom.remote The following are the rights profiles for authorized users:# List of profiles for regular authorized user Local Allocator Profile ... # List of profiles for role or authorized user Remote Allocator Profile ... devicesadding customized authorizations customizingdevice authorizations authorizationscustomizing for devices You must be in the Security Administrator role, or in a role that includes the Configure Device Attributes authorization. You must have already created site-specific authorizations, as described in How to Create New Device Authorizations. Follow the How to Configure a Device in Trusted Extensions procedure.Select a device that needs to be protected with your new authorizations. Open the Device Administration dialog box. In the Device Configuration dialog box, click the Authorizations button.The new authorizations are displayed in the Not Required list. Add the new authorizations to the Required list of authorizations. To save your changes, click OK. authorizingdevice allocation device allocationauthorizing authorizationsassigning device authorizations Allocate Device authorization authorizationsAllocate Device Revoke or Reclaim Device authorization authorizationsRevoke or Reclaim Device administeringdevice allocation administeringassigning device authorizations The Allocate Device authorization enables users to allocate a device. The Allocate Device authorization, and the Revoke or Reclaim Device authorization, are appropriate for administrative roles. You must be in the Security Administrator role in the global zone.If the existing profiles are not appropriate, the security administrator can create a new profile. For an example, see How to Create a Rights Profile for Convenient Authorizations. rights profileswith Allocate Device authorizationAssign to the user a rights profile that contains the Allocate Device authorization.For assistance, see the online help. For the step-by-step procedure, see How to Change the RBAC Properties of a User in System Administration Guide: Security Services.authorizationsprofiles that include device allocation authorizationsdevice allocationprofiles that include allocation authorizationsrights profileswith device allocation authorizationsAllocate Device authorizationauthorizationsAllocate DeviceThe following profiles enable a role to allocate devices:All Authorizations Device Management Media Backup Media Restore Object Label Management Software Installation Revoke or Reclaim Device authorizationauthorizationsRevoke or Reclaim DeviceThe following profiles enable a role to revoke or reclaim devices:All Authorizations Device Management Configure Device Attributes authorizationauthorizationsConfigure Device AttributesThe following profiles enable a role to create or configure devices:All Authorizations Device Security In this example, the security administrator configures the new device authorizations for the system and assigns the rights profile with the new authorizations to trustworthy users. The security administrator does the following:Creates new device authorizations, as in How to Create New Device Authorizations In the Device Allocation Manager, adds the new device authorizations to the tape and diskette drives Places the new authorizations in the rights profile, NewCo Allocation Adds the NewCo Allocation rights profile to the profiles of users and roles who are authorized to allocate tape and diskette drives Authorized users and roles can now use the tape drives and diskette drives on this system.