This chapter introduces you to administering a system that is configured with Solaris Trusted Extensions.What's New in Trusted Extensions Security Requirements When Administering Trusted Extensions Getting Started as a Trusted Extensions Administrator (Task Map) mountingNFSv3 file systems file systemsNFSv3 service management facility (SMF)Trusted Extensions service enablingDOI different from 1 Trusted Extensions DOIenabling DOI different from 1 Solaris Express Community Edition – In this release, Trusted Extensions provides the following features:The Trusted Extensions shared IP stack allows default routes to isolate labeled zones from each other and from the global zone. The loopback interface, lo0, is an all-zones interface. Separation of duty can be enforced by role. The System Administrator role creates users, but cannot assign passwords. The Security Administrator role assigns passwords, but cannot create users. For details, see Create Rights Profiles That Enforce Separation of Duty. This guide includes a list of Trusted Extensions man pages in Appendix E, List of Trusted Extensions Man Pages. Solaris Express Developer Edition 1/08 – In this release, Trusted Extensions provides the following features:The service management facility (SMF) manages Trusted Extensions as the svc:/system/labeld service. By default, the labeld service is disabled. When the service is enabled, the system must still be configured and rebooted to enforce Trusted Extensions security policies. The CIPSO Domain of Interpretation (DOI) number that your system uses is configurable.For information about the DOI, see Network Security Attributes in Trusted Extensions. To specify a DOI that differs from the default, see Configure the Domain of Interpretation. Trusted Extensions recognizes CIPSO labels in NFS Version 3 (NFSv3) mounted file systems, as well as in NFS Version 4 (NFSv4). Therefore, you can mount NFSv3 file systems on a Trusted Extensions system as a labeled file system. To use udp as an underlying protocol for multilevel mounts in NFSv3, see How to Configure a Multilevel Port for NFSv3 Over udp. The name service cache daemon, nscd, can be configured to run in every labeled zone at the label of the zone. loginby roles rolesassuming rolesworkspaces workspacesglobal zone role workspaceglobal zone In Trusted Extensions, roles are the conventional way to administer the system. Typically, superuser is not used. Roles are created just as they are in the Solaris OS, and most tasks are performed by roles. In Trusted Extensions, the root user is not used to perform administrative tasks.The following roles are typical of a Trusted Extensions site:root role – Created by the initial setup team Security Administrator role – Created during or after initial configuration by the initial setup team System Administrator role – Created by the Security Administrator role As in the Solaris OS, you might also create a Primary Administrator role, an Operator role, and so on. With the exception of the root role, the roles that you create can be administered in a naming service.As in the Solaris OS, only users who have been assigned a role can assume that role. In Solaris Trusted Extensions (CDE), you can assume a role from a desktop menu called the Trusted Path menu. In Solaris Trusted Extensions (GNOME), you can assume a role when your user name is displayed in the Trusted Stripe. The role choices appear when you click your user name.rolescreating To administer Trusted Extensions, you create roles that divide system and security functions. The initial setup team created the Security Administrator role during configuration. For details, see Create the Security Administrator Role in Trusted Extensions.The process of creating a role in Trusted Extensions is identical to the Solaris OS process. As described in Chapter 8, Trusted Extensions Administration Tools, the Solaris Management Console is the GUI for managing roles in Trusted Extensions.For an overview of role creation, see Chapter 10, Role-Based Access Control (Reference), in System Administration Guide: Security Services and Using RBAC (Task Map) in System Administration Guide: Security Services. To create a powerful role that is equivalent to superuser, see Creating the Primary Administrator Role in System Administration Guide: Basic Administration. At sites that use Trusted Extensions, the Primary Administrator role might violate security policy. These sites would turn root into a role, and create a Security Administrator role. To create the root role, see How to Make root User Into a Role in System Administration Guide: Security Services. To create roles by using the Solaris Management Console, see How to Create and Assign a Role by Using the GUI in System Administration Guide: Security Services. restrictingaccess to global zone Unlike the Solaris OS, Trusted Extensions provides an Assume Rolename Role menu item from the Trusted Path menu. After confirming the role password, the software activates a role workspace with the trusted path attribute. Role workspaces are administrative workspaces. Such workspaces are in the global zone. accessingadministrative tools administrative toolsaccessing Getting Started as a Trusted Extensions Administrator (Task Map) tasks and task mapsGetting Started as a Trusted Extensions Administrator (Task Map) Familiarize yourself with the following procedures before administering Trusted Extensions.Task Description For Instructions Log in. Logs you in securely. Logging In to Trusted Extensions in Solaris Trusted Extensions User’s Guide Perform common user tasks on a desktop. These tasks include:Configuring your workspaces Using workspaces at different labels Accessing Trusted Extensions man pages Accessing Trusted Extensions online help Working on a Labeled System in Solaris Trusted Extensions User’s Guide Perform tasks that require the trusted path. These tasks include:Allocating a device Changing your password Changing the label of a workspace Performing Trusted Actions in Solaris Trusted Extensions User’s Guide Create useful roles. Creates administrative roles for your site. Creating roles in LDAP is a one-time task.The Security Administrator role is a useful role. Role Creation in Trusted ExtensionsCreate the Security Administrator Role in Trusted Extensions (Optional) Make root a role. Prevents anonymous login by root. This task is done once per system. How to Make root User Into a Role in System Administration Guide: Security Services Assume a role. Enters the global zone in a role. All administrative tasks are performed in the global zone. How to Enter the Global Zone in Trusted Extensions Exit a role workspace and become regular user. Leaves the global zone. How to Exit the Global Zone in Trusted Extensions Locally administer users, roles, rights, zones, and networks. Uses the Solaris Management Console to manage the distributed system. How to Administer the Local System With the Solaris Management Console Administer the system by using Trusted CDE actions. Uses the administrative actions in the Trusted_Extensions folder. How to Start CDE Administrative Actions in Trusted Extensions Edit an administrative file. Edits files in a trusted editor. How to Edit Administrative Files in Trusted Extensions Administer device allocation in Trusted CDE. Uses the Device Allocation Manager – Device Administration GUI. Managing Devices in Trusted Extensions (Task Map) privilegeswhen executing commands commandsexecuting with privilege rolesassuming global zoneentering administeringfrom the global zone assumingroles accessingglobal zone Trusted Path menuAssume Role Assume Role menu item By assuming a role, you enter the global zone in Trusted Extensions. Administration of the entire system is possible only from the global zone. Only superuser or a role can enter the global zone.After assuming a role, the role can create a workspace at a user label to edit administration files in a labeled zone.For troubleshooting purposes, you can also enter the global zone by starting a Failsafe session. For details, see How to Log In to a Failsafe Session in Trusted Extensions. You have created one or more roles, or you plan to enter the global zone as superuser. For pointers, see Role Creation in Trusted Extensions. Use a trusted mechanism.In Solaris Trusted Extensions (GNOME), click your user name in the trusted stripe and choose a role.If you have been assigned a role, the role names are displayed in a list.For the location and significance of Trusted Extensions desktop features, see Chapter 4, Elements of Trusted Extensions (Reference), in Solaris Trusted Extensions User’s Guide. In Solaris Trusted Extensions (CDE), open the Trusted Path menu.Click mouse button 3 over the workspace switch area. The illustration shows the Workspace Switch Area in Trusted CDE. Choose Assume rolename Role from the Trusted Path menu. At the prompt, type the role password.desktopsworkspace color changesworkspacescolor changesIn Trusted CDE, a new role workspace is created, the workspace switch button changes to the color of the role desktop, and the title bar above each window shows Trusted Path. In Trusted GNOME, the current workspace changes to the role workspace.In Trusted CDE, you leave a role workspace by using the mouse to choose a regular user workspace. You can also delete the last role workspace to exit a role. In Trusted GNOME, you can click the role name on the trusted stripe, and from the menu, select a different role or user. This action changes the current workspace to the process of the new role or user. global zoneexiting rolesleaving role workspace The menu locations for exiting a role are different in Trusted GNOME and Trusted CDE. You are in the global zone. On both desktops, you can click a user workspace in the Workspace Switch area.You can also exit the role workspace, and therefore the global zone, by doing one of the following:In Trusted GNOME, click your role name in the trusted stripe.When you click the role name, your user name and a list of roles that you can assume is displayed. When you select your user name, all subsequent windows that you create in that workspace are created by the selected name. The windows that you previously created on the current desktop continue to display at the name and label of the role.If you choose a different role name, you remain in the global zone in a different role. In Trusted CDE, delete the role workspace.Click mouse button 3 over the workspace button and select Delete. You are returned to the last workspace you occupied. Solaris Management Consolestarting administrative toolsSolaris Management Console accessingSolaris Management Console The first time that you launch the Solaris Management Console on a system, a delay occurs while the tools are registered and various directories are created. This delay typically occurs during system configuration. For the procedure, see Initialize the Solaris Management Console Server in Trusted Extensions.To administer a remote system, see Administering Trusted Extensions Remotely (Task Map). You must have assumed a role. For details, see How to Enter the Global Zone in Trusted Extensions. Start the Solaris Management Console.In Solaris Trusted Extensions (GNOME), use the command line. In Trusted CDE, you have three choices. Use the smc command in a terminal window.$ /usr/sbin/smc & From the Tools pull-up menu on the Front Panel, click the Solaris Management Console icon. In the Trusted_Extensions folder, double-click the Solaris Management Console icon. Choose Console -> Open Toolbox. From the list, select a Trusted Extensions toolbox of the appropriate scope.A Trusted Extensions toolbox has Policy=TSOL as part of its name. The Files scope updates local files on the current system. The LDAP scope updates LDAP directories on the Sun Java System Directory Server. The toolbox names appear similar to the following:This Computer (this-host: Scope=Files, Policy=TSOL) This Computer (ldap-server: Scope=LDAP, Policy=TSOL) Navigate to the desired Solaris Management Console tool.The password prompt is displayed.For tools that Trusted Extensions has modified, click System Configuration. Type the password.Refer to the online help for additional information about Solaris Management Console tools. For an introduction to the tools that Trusted Extensions modifies, see Solaris Management Console Tools. To close the GUI, choose Exit from the Console menu. administrative actionsin Trusted_Extensions folder administrative toolsin Trusted_Extensions folder accessingtrusted CDE actions Trusted_Extensions folderusing actions in Assume a role.For details, see How to Enter the Global Zone in Trusted Extensions. In Trusted CDE, bring up the Application Manager.Click mouse button 3 on the background to bring up the Workspace menu. Click Applications, then click the Application Manager menu item. Dialog box titled Application Manager shows folders, including the Trusted_Extensions folder. The Trusted_Extensions folder is in the Application Manager. Open the Trusted_Extensions folder. Double-click the appropriate icon.For a list of administrative actions, see Trusted CDE Actions. actionsAdmin Editor editingusing trusted editor filesediting with trusted editor administrative actionsaccessing Admin Editor actionopening accessingAdmin Editor action system filesediting Trusted_Extensions folderusing Admin Editor from /usr/dt/bin/trusted_edit trusted editor trusted_edit trusted editor commands trusted_edit trusted editor trusted editorstarting Administrative files are edited with a trusted editor that incorporates auditing. This editor also prevents the user from executing shell commands and from saving to any file name other than the name of the original file. Assume a role.For details, see How to Enter the Global Zone in Trusted Extensions. Open a trusted editor.In Solaris Trusted Extensions (CDE), do the following:To bring up the editor, click mouse button 3 on the background to bring up the Workspace menu. Click Applications, then click the Application Manager menu item.The Trusted_Extensions folder is in the Application Manager. Open the Trusted_Extensions folder. Double-click the Admin Editor action.You are prompted to provide a file name. For the format, see Step 3 and Step 4. In Solaris Trusted Extensions (GNOME), do the following:To use gedit as the trusted editor, modify the EDITOR variable.For details, see How to Assign the Editor of Your Choice as the Trusted Editor. Use the command line to bring up the trusted editor.# /usr/dt/bin/trusted_edit filenameYou must provide a filename argument. To create a new file, type the full path name for the new file.When you save the file, the editor creates a temporary file. To edit an existing file, type the full path name for the existing file.If your editor provides a Save As option, do not use it. Use the editor's Save option to save the file. To save the file to the specified path name, close the editor.