administrative toolsdescription This chapter describes the tools that are available in Solaris Trusted Extensions, the location of the tools, and the databases on which the tools operate.Administration Tools for Trusted Extensions Trusted CDE Actions Device Allocation Manager Solaris Management Console Tools Command Line Tools in Trusted Extensions Remote Administration in Trusted Extensions Administration on a system that is configured with Trusted Extensions uses many of the same tools that are available in the Solaris OS. Trusted Extensions offers security-enhanced tools as well. Administration tools are available only to roles in a role workspace.trusted applicationsin a role workspacerolestrusted application accessWithin a role workspace, you can access commands, actions, applications, and scripts that are trusted. The following table summarizes these administrative tools.Tool Description For More Information files/usr/sbin/txzonemgrscripts/usr/sbin/txzonemgr/usr/sbin/txzonemgr script/usr/sbin/txzonemgr Provides a menu-based wizard for creating, installing, initializing, and booting zones. This script replaces the Trusted CDE actions that manage zones.The script also provides menu items for networking options, name services options, and for clienting the global zone to an existing LDAP server. txzonemgr uses the zenity command. See Creating Labeled ZonesSee also the zenity1 man page. Trusted_Extensions folderlocationIn Trusted CDE, actions in the Trusted_Extensions folder in the Application Manager folder Used to edit local files that the Solaris Management Console does not manage, such as /etc/system. Some actions run scripts, such as the Install Zone action. See Trusted CDE Actions and How to Start CDE Administrative Actions in Trusted Extensions. Device Allocation Manageradministrative toolIn Trusted CDE, Device Allocation ManagerIn Solaris Trusted Extensions (JDS), Device Manager Used to administer the label ranges of devices, and to allocate or deallocate devices. See Device Allocation Manager and Handling Devices in Trusted Extensions (Task Map). Solaris Management Console Used to configure users, roles, rights, hosts, zones, and networks. This tool can update local files or LDAP databases.This tool can also launch the dtappsession legacy application. For basic functionality, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. For information that is specific to Trusted Extensions, see Solaris Management Console Tools. Solaris Management Console commands, such as smuser and smtnzonecfg Is the command-line interface for the Solaris Management Console. For a list, see Table 8–4. Label Builder Is also a user tool. Appears when a program requires you to choose a label. For an example, see How to Modify a User's Label Range in the Solaris Management Console. Trusted Extensions commands Used to perform tasks that are not covered by Solaris Management Console tools or CDE actions. For the list of administrative commands, see Table 8–5. administrative toolstxzonemgr script administrative toolsLabeled Zone Manager In the Solaris Express Community Edition, the txzonemgr script is used to configure labeled zones. This zenity(1) script displays a dialog box with the title Labeled Zone Manager. This GUI presents a dynamically-determined menu that displays only valid choices for the current configuration status of a labeled zone. For instance, if a zone is already labeled, the Label menu item is not displayed. administrative actionsin CDE trusted actionsin CDE administrative actionslist of trusted CDE actionslist of trusted CDE administrative toolsTrusted CDE actions The following tables list the CDE actions that roles in Trusted Extensions can run. These trusted CDE actions are available from the Trusted_Extensions folder. The Trusted_Extensions folder is available from the Application Manager folder on the CDE desktop.Action Name Purpose of Action Default Rights Profile Add Allocatable Device actionAdd Allocatable Device device databasesaction for editingdatabasesdevicesCreates devices by adding entries to device databases. See add_allocatable1M. Device Security Admin Editor actionAdmin Editor Edits the specified file. See How to Edit Administrative Files in Trusted Extensions. Object Access Management Audit Classes actionAudit Classes /etc/security/audit_class filefiles/etc/security/audit_classaudit_class fileaction for editingEdits the audit_class file. See audit_class4. Audit Control Audit Control actionAudit Control /etc/security/audit_control filefiles/etc/security/audit_controlaudit_control fileaction for editingEdits the audit_control file. See audit_control4. Audit Control Audit Events actionAudit Events /etc/security/audit_event filefiles/etc/security/audit_eventaudit_event fileEdits the audit_event file. See audit_event4. Audit Control Audit Startup actionAudit Startup /etc/security/audit_startup filefiles/etc/security/audit_startupaudit_startup commandaction for editingEdits the audit_startup.sh script. See audit_startup1M. Audit Control Check Encodings actionCheck Encodings chk_encodings commandaction for invokingRuns the chk_encodings command on specified encodings file. See chk_encodings1M. Object Label Management Check TN Files actionCheck TN Files network databasesaction for checkingtnchkdb commandaction for checkingtnrhdb databaseaction for checkingtnrhtp databaseaction for checkingRuns the tnchkdb command on tnrhdb, tnrhtp, and tnzonecfg databases. See tnchkdb1M. Network Management Configure Selection Confirmation actionConfigure Selection Confirmation files/usr/dt/config/sel_configsel_config fileaction for editingEdits /usr/dt/config/sel_config file. See sel_config4. Object Label Management Create LDAP Client actionCreate LDAP Client LDAPaction for creating global zone clientsMakes the global zone an LDAP client of an existing LDAP directory service. Information Security Edit Encodings actionEdit Encodings files/etc/security/tsol/label_encodingslabel_encodings fileaction for editing and checkingEdits the specified label_encodings file and runs the chk_encodings command. See chk_encodings1M. Object Label Management Name Service Switch actionName Service Switch /etc/nsswitch.conf filefiles/etc/nsswitch.confnsswitch.conf fileaction for editingEdits the nsswitch.conf file. See nsswitch.conf4. Network Management Set DNS Servers actionSet DNS Servers /etc/resolv.conf filefiles/etc/resolv.confresolv.conf fileaction for editingEdits the resolv.conf file. See resolv.conf4. Network Management Set Daily Message actionSet Daily Message files/etc/motd/etc/motd fileaction for editingmotd fileaction for editingEdits the /etc/motd file. At login, the contents of this file display in the Last Login dialog box. Network Management Set Default Routes actionSet Default Routes trusted networkaction for setting default routesSpecifies default static routes. Network Management Share Filesystems actionShare Filesystem /etc/dfs/dfstab filefiles/etc/dfs/dfstabdfstab fileaction for editingEdits the dfstab file. Does not run the share command. See dfstab4. File System Management The following actions are used by the initial setup team during zone creation. Some of these actions can be used for maintenance and troubleshooting.Action Name Purpose of Action Default Rights Profile Clone Zone actionClone Zone zonesaction for cloningCreates a labeled zone from a ZFS snapshot of an existing zone. Zone Management Copy Zone actionCopy Zone zonesaction for copyingCreates a labeled zone from an existing zone. Zone Management Configure Zone actionConfigure Zone zonesaction for configuringAssociates a label with a zone name. Zone Management Initialize Zone for LDAP actionInitialize Zone for LDAP zonesaction for initializingInitializes the zone for booting as an LDAP client. Zone Management Install Zone actionInstall Zone zonesaction for installingInstalls the system files that a labeled zone requires. Zone Management Restart Zone actionRestart Zone zonesaction for restartingRestarts a zone that has already been booted. Zone Management Share Logical Interface actionShare Logical Interface zonesaction for sharing logical interfaceSets up one interface for the global zone and a separate interface for the labeled zones to share. Network Management Share Physical Interface actionShare Physical Interface zonesaction for sharing physical interfaceSets up one interface that is shared by the global zone and the labeled zones. Network Management Shut Down Zone actionShut Down Zone zonesaction for shutting downShuts down an installed zone. Zone Management Start Zone actionStart Zone zonesaction for startingBoots an installed zone and starts the services for that zone. Zone Management Zone Terminal Console actionZone Terminal Console zonesaction for viewing from consoleOpens a console to view processes in an installed zone. Zone Management devicesprotecting protectingdevices administrative toolsDevice Allocation Manager A device is either a physical peripheral that is connected to a computer or a software-simulated device called a pseudo-device. Because devices provide a means for the import and export of data to and from a system, devices must be controlled to properly protect the data. Trusted Extensions uses device allocation and device label ranges to control data flowing through devices.Examples of devices that have label ranges are frame buffers, tape drives, diskette and CD-ROM drives, printers, and USB devices.Users allocate devices through the Device Allocation Manager. The Device Allocation Manager mounts the device, runs a clean script to prepare the device, and performs the allocation. When finished, the user deallocates the device through the Device Allocation Manager, which runs another clean script, and unmounts and deallocates the device.

Shows the Device Allocation Manager icon.

You can manage devices by using the Device Administration tool from the Device Allocation Manager. Regular users cannot access the Device Administration tool.In Solaris Trusted Extensions (JDS), this GUI is named Device Manager, and the Device Administration button is named Administration.

Dialog box titled Device Allocation Manager shows the devices that are available to a user, and the Device Administration button.

For more information about device protection in Trusted Extensions, see Chapter 23, Managing Devices for Trusted Extensions (Tasks). Solaris Management Consoledescription of tools and toolboxes administrative toolsSolaris Management Console The Solaris Management Console provides access to toolboxes of GUI-based administration tools. These tools enable you to edit items in various configuration databases. In Trusted Extensions, the Solaris Management Console is the administrative interface for users, roles, and the trusted network databases.Trusted Extensions extends the Solaris Management Console:Trusted Extensions modifies the Solaris Management Console Users tool set. For an introduction to the tool set, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Trusted Extensions adds the Security Templates tool and the Trusted Network Zones tool to the Computers and Networks tool set. Solaris Management ConsoletoolboxestoolboxesdefinedSolaris Management Console tools are collected into toolboxes according to scope and security policy. To administer Trusted Extensions, Trusted Extensions provides toolboxes whose Policy=TSOL. You can access tools according to scope, that is, according to naming service. The available scopes are local host and LDAP.The Solaris Management Console is shown in the following figure. A Scope=Files Trusted Extensions toolbox is loaded, and the Users tool set is open.

The context describes the graphic.

User Accounts toolAdministrative Roles toolRights toolTrusted Extensions adds configurable security attributes to three tools:User Accounts tool – Is the administrative interface to change a user's label, change a user's view of labels, and to control account usage. Administrative Roles tool – Is the administrative interface to change a role's label range and screen-locking behavior when idle. Rights tool – Includes CDE actions that can be assigned to rights profiles. Security attributes can be assigned to these actions. Trusted Network toolsdescriptionComputers and Networks tool setSecurity Templates toolTrusted Network Zones tooldescriptionTrusted Extensions adds two tools to the Computers and Networks tool set:Security Templates tool – Is the administrative interface for managing the label aspects of hosts and networks. This tool modifies the tnrhtp and tnrhdb databases, enforces syntactic accuracy, and updates the kernel with the changes. Trusted Network Zones tool – Is the administrative interface for managing the label aspects of zones. This tool modifies the tnzonecfg database, enforces syntactic accuracy, and updates the kernel with the changes. Figure 8–4 shows the Files toolbox with the Computers and Networks tool set highlighted. The Trusted Extensions tools appear below the tool set.

Window shows icons for the Computers and Networks tool. The icons are for Computers, Security Templates, and the networks 127,10, and 192.168.

Solaris Management ConsoleSecurity Templates tool Security Templates tool remote host templatestool for administering tnrhdb databasetool for administering tnrhtp databasetool for administering A security template describes a set of security attributes that can be assigned to a group of hosts. The Security Templates tool enables you to conveniently assign a specific combination of security attributes to a group of hosts. These attributes control how data is packaged, transmitted, and interpreted. Hosts that are assigned to a template have identical security settings.The hosts are defined in the Computers tool. The security attributes of the hosts are assigned in the Security Templates tool. The Modify Template dialog box contains two tabs:General tab – Describes the template. Includes its name, host type, default label, domain of interpretation (DOI), accreditation range, and set of discrete sensitivity labels. Hosts Assigned to Template tab – Lists all the hosts on the network that you have assigned to this template. Trusted networking and security templates are explained in more detail in Chapter 18, Trusted Networking (Overview). Solaris Management ConsoleTrusted Network Zones tool Trusted Network Zones tooldescription zonestool for labeling The Trusted Network Zones tool identifies the zones on your system. Initially, the global zone is listed. When you add zones and their labels, the zone names display in the pane. Zone creation usually occurs during system configuration. Label assignment, multilevel port configuration, and label policy is configured in this tool. For details, see Chapter 16, Managing Zones in Trusted Extensions (Tasks). Typically, a Solaris Management Console client administers systems remotely. On a network that uses LDAP as a naming service, a Solaris Management Console client connects to the Solaris Management Console server that runs on the LDAP server. The following figure shows this configuration.

Solaris Management Console client talking to an LDAP server that is running a Solaris Management Console server.

Figure 8–6 shows a network that is not configured with an LDAP server. The administrator configured each remote system with a Solaris Management Console server.

Solaris Management Console client talking to several remote systems. Each system is running a Solaris Management Console server.

The main source of documentation for the Solaris Management Console is its online help. Context-sensitive help is tied to the currently selected feature and is displayed in the information pane. Expanded help topics are available from the Help menu or by clicking links in the context-sensitive help. Further information is provided in Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Also see Using the Solaris Management Tools With RBAC (Task Map) in System Administration Guide: Basic Administration. administrative toolslabel builder The label builder GUI enforces your choice of a valid label or clearance when a program requires you to assign a label. For example, a label builder appears during login (see Chapter 2, Logging In to Trusted Extensions (Tasks), in Solaris Trusted Extensions User’s Guide). The label builder also appears when you change the label of a workspace, or when you assign a label to a user, zone, or network interface in the Solaris Management Console. The following label builder appears when you assign a label range to a new device. Label builder titled Device Allocation Set Minimum Label shows the labels that can be chosen as the minimum label for a device. In the label builder, component names in the Classification column correspond to the CLASSIFICATIONS section in the label_encodings file. The component names in the Sensitivity column correspond to the WORDS section in the label_encodings file. administrative toolscommands Commands that are unique to Trusted Extensions are contained in the Solaris Trusted Extensions Reference Manual. The Solaris commands that Trusted Extensions modifies are contained in the Solaris Reference Manual. The man command finds all the commands.The following table lists commands that are unique to Trusted Extensions. The commands are listed in man page format.Man Page Trusted Extensions Modification For More Information add_allocatable commandadd_allocatable1M Enables a device to be allocated by adding the device to device allocation databases. By default, removable devices are allocatable. How to Configure a Device in Trusted Extensions atohexlabel commandatohexlabel1M Translates a label into hexadecimal format. How to Obtain the Hexadecimal Equivalent for a Label chk_encodings commandchk_encodings1M Checks the integrity of the label_encodings file. How to Debug a label_encodings File in Solaris Trusted Extensions Label Administration dtappsession commanddtappsession1 Opens a remote Trusted CDE session by using the Application Manager. Chapter 14, Remote Administration in Trusted Extensions (Tasks) getlabel commandgetlabel1 Displays the label of the selected files or directories. How to Display the Labels of Mounted Files getzonepath commandgetzonepath1 Displays the full pathname of a specific zone. Acquiring a Sensitivity Label in Solaris Trusted Extensions Developer’s Guide hextoalabel commandhextoalabel1M Translates a hexadecimal label into its readable equivalent. How to Obtain a Readable Label From Its Hexadecimal Form plabel commandplabel1 Displays the label of the current process. See the man page. remove_allocatable commandremove_allocatable1M Prevents allocation of a device by removing its entry from device allocation databases. How to Configure a Device in Trusted Extensions setlabel commandsetlabel1 Relabels the selected item. Requires the solaris.label.file.downgrade or solaris.label.file.upgrade authorization. These authorizations are in the Object Label Management rights profile. For the equivalent GUI procedure, see How to Move Files Between Labels in Trusted CDE in Solaris Trusted Extensions User’s Guide. smtnrhdb commandsmtnrhdb1M Manages entries in the tnrhdb database locally or in a naming service database. For equivalent procedures that use the Solaris Management Console, see Configuring Trusted Network Databases (Task Map). smtnrhtp commandsmtnrhtp1M Manages entries in the tnrhtp database locally or in a naming service database. See the man page. smtnzonecfg commandsmtnzonecfg1M Manages entries in the local tnzonecfg database. For an equivalent procedure that uses the Solaris Management Console, see How to Create a Multilevel Port for a Zone. tnchkdb commandsummarytnchkdb1M Checks the integrity of the tnrhdb and tnrhtp databases. How to Check the Syntax of Trusted Network Databases tnctl commandsummarytnctl1M Caches network information in the kernel. How to Synchronize the Kernel Cache With Trusted Network Databases tnd commandsummarytnd1M Executes the trusted network daemon. How to Synchronize the Kernel Cache With Trusted Network Databases tninfo commandsummarytninfo1M Displays kernel-level network information and statistics. How to Compare Trusted Network Database Information With the Kernel Cache. updatehome commandupdatehome1M .copy_files filestartup filefiles.copy_files.link_files filestartup filefiles.link_filesUpdates .copy_files and .link_files for the current label. How to Configure Startup Files for Users in Trusted Extensions The following table lists Solaris commands that are modified or extended by Trusted Extensions. The commands are listed in man page format.Man Page Purpose of Command For More Information allocate commandallocate1 Adds options to clean the allocated device, and to allocate a device to a specific zone. In Trusted Extensions, regular users do not use this command. How to Allocate a Device in Trusted Extensions in Solaris Trusted Extensions User’s Guide deallocate commanddeallocate1 Adds options to clean the device, and to deallocate a device from a specific zone. In Trusted Extensions, regular users do not use this command. How to Allocate a Device in Trusted Extensions in Solaris Trusted Extensions User’s Guide list_devices commandlist_devices1 Adds the a option to display device attributes, such as authorizations and labels. Adds the d option to display the default attributes of an allocated device type. Adds the z option to display available devices that can be allocated to a labeled zone. See the man page. tar commandtar1 Adds the T option to archive and extract files and directories that are labeled. How to Back Up Files in Trusted Extensions and How to Restore Files in Trusted Extensions auditconfig commandauditconfig1M Adds the windata_down and windata_up audit policy options. How to Configure Audit Policy in System Administration Guide: Security Services auditreduce commandauditreduce1M Adds the l option to select audit records by label. How to Select Audit Events From the Audit Trail in System Administration Guide: Security Services automount commandautomount1M Modifies the names and contents of auto_home maps to account for zone names and zone visibility from higher labels. Changes to the Automounter in Trusted Extensions ifconfig commandifconfig1M Adds the all-zones option to make an interface available to every zone on the system. How to Verify That a Host's Interfaces Are Up netstat commandnetstat1M Adds the R option to display extended security attributes for sockets and routing table entries. How to Debug the Trusted Extensions Network route commandroute1M Adds the secattr option to display the security attributes of the route: cipso, doi, max_sl, and min_sl. How to Configure Routes With Security Attributes You can remotely administer a system that is configured with Trusted Extensions by using the ssh command, the dtappsession program, or the Solaris Management Console. If site security policy permits, you can configure a Trusted Extensions host to enable login from a non-Trusted Extensions host, although this configuration is less secure. For more information, see Chapter 14, Remote Administration in Trusted Extensions (Tasks).