| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
Handling Devices in Trusted Extensions (Task Map)
Using Devices in Trusted Extensions (Task Map)
Managing Devices in Trusted Extensions (Task Map)
How to Configure a Device in Trusted Extensions
How to Revoke or Reclaim a Device in Trusted Extensions
How to Protect Nonallocatable Devices in Trusted Extensions
How to Add a Device_Clean Script in Trusted Extensions
Customizing Device Authorizations in Trusted Extensions (Task Map)
How to Create New Device Authorizations
How to Add Site-Specific Authorizations to a Device in Trusted Extensions
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The following task map describes procedures to change device authorizations at your site.
|
If a device does not require an authorization, then, by default, all users can use the device. If an authorization is required, then only authorized users can use the device.
To deny all access to an allocatable device, see Example 21-1. To create and use a new authorization, see Example 21-3.
Before You Begin
You must be in the Security Administrator role in the global zone.
Help files are in HTML format. The naming convention is AuthName.html, as in DeviceAllocateCD.html.
$ auths add -t "Authorization description" -h /full/path/to/helpfile.html authorization-name
$ profiles rights-profile profiles:rights-profile > add auths="authorization-name"...
# usermod -P "rights-profile" username # rolemod -P "rights-profile" rolename
Add the new authorizations to the list of required authorizations in the Device Manager. For the procedure, see How to Add Site-Specific Authorizations to a Device in Trusted Extensions.
Example 21-2 Creating Fine-Grained Device Authorizations
In this example, a security administrator for NewCo needs to construct fine-grained device authorizations for the company.
First, the administrator creates the following help files:
Newco.html NewcoDevAllocateCDVD.html NewcoDevAllocateUSB.html
Next, the administrator creates a template help file from which the other help files are copied and modified.
<HTML>
-- Copyright 2012 Newco. All rights reserved.
-- NewcoDevAllocateCDVD.html
-->
<HEAD>
<TITLE>Newco Allocate CD or DVD Authorization</TITLE>
</HEAD>
<BODY>
The com.newco.dev.allocate.cdvd authorization enables you to allocate the
CD drive on your system for your exclusive use.
<p>
The use of this authorization by a user other than the authorized account
is a security violation.
<p>
</BODY>
</HTML>
After creating the help files, the administrator uses the auths command to create each device authorization. Because the authorizations are used throughout the company, the administrator places the authorizations in the LDAP repository. The command includes the pathname to the help files.
The administrator creates two device authorizations and a Newco authorization header.
One authorization authorizes the user to allocate a CD-ROM or DVD drive.
# auths add -S ldap -t "Allocate CD or DVD" \ -h /docs/helps/NewcoDevAllocateCDVD.html com.newco.dev.allocate.cdvd
One authorization authorizes the user to allocate a USB device.
# auths add -S ldap -t "Allocate USB" \ -h /docs/helps/NewcoDevAllocateUSB.html com.newco.dev.allocate.usb
The Newco authorization header identifies all Newco authorizations.
# auths add -S ldap -t "Newco Auth Header" \ -h /docs/helps/Newco.html com.newco
Example 21-3 Creating and Assigning Trusted Path and Non-Trusted Path Device Authorizations
By default, the Allocate Devices authorization enables allocation from the Trusted Path and from outside the Trusted Path.
In the following example, site security policy requires restricting remote CD-ROM and DVD allocation. The security administrator creates the com.newco.dev.allocate.cdvd.local authorization. This authorization is for CD-ROM and DVD drives that are allocated with the Trusted Path. The com.newco.dev.allocate.cdvd.remote authorization is for those few users who are allowed to allocate a CD-ROM or DVD drive outside the Trusted Path.
The security administrator creates the help files, adds the device authorizations to the auth_attr database, adds the authorizations to the devices, and then places the authorizations in rights profiles. The root role assigns the profiles to users who are allowed to allocate devices.
The following commands add the device authorizations to the auth_attr database:
$ auths add -S ldap -t "Allocate Local DVD or CD" \ -h /docs/helps/NewcoDevAllocateCDVDLocal.html \ com.newco.dev.allocate.cdvd.local $ auths add -S ldap -t "Allocate Remote DVD or CD" \ -h /docs/helps/NewcoDevAllocateCDVDRemote.html \ com.newco.dev.allocate.cdvd.remote
The following shows the Device Manager assignment:
Local allocation of the CD-ROM drive is protected by the Trusted Path.
Device Name: cdrom_0 For Allocations From: Trusted Path Allocatable By: Authorized Users Authorizations: com.newco.dev.allocate.cdvd.local
Remote allocation is not protected by the Trusted Path, therefore, remote users must be trustworthy. In the final step, the administrator will authorize remote allocation for two roles only.
Device Name: cdrom_0 For Allocations From: Non-Trusted Path Allocatable By: Authorized Users Authorizations: com.newco.dev.allocate.cdvd.remote
The following commands create the Newco rights profiles for these authorizations and add the authorizations to the profiles:
$ profiles -S ldap "Remote Allocator" profiles:Remote Allocator > set desc="Allocate Remote CDs and DVDs" profiles:Remote Allocator > set help="/docs/helps/NewcoDevRemoteCDVD.html" profiles:Remote Allocator > add auths="com.newco.dev.allocate.cdvd.remote" profiles:Remote Allocator > end profiles:Remote Allocator > exit
$ profiles -S ldap "Local Only Allocator" profiles:Local Only Allocator > set desc="Allocate Local CDs and DVDs" profiles:Local Only Allocator > set help="/docs/helps/NewcoDevLocalCDVD.html" profiles:Local Only Allocator > add auths="com.newco.dev.allocate.cdvd.local" profiles:Local Only Allocator > end profiles:Local Only Allocator > exit
The following commands assign the rights profiles to authorized users. The root role assigns the profiles. At this site, only roles are authorized to remotely allocate peripheral devices.
# usermod -P "Local Only Allocator" jdoe # usermod -P "Local Only Allocator" kdoe
# rolemod -P "Remote Allocator" secadmin # rolemod -P "Remote Allocator" sysadmin
Before You Begin
You must be in the Security Administrator role, or in a role that includes the Configure Device Attributes authorization. You must have already created site-specific authorizations, as described in How to Create New Device Authorizations.
The new authorizations are displayed in the Not Required list.
The Allocate Device authorization enables users to allocate a device. The Allocate Device authorization, and the Revoke or Reclaim Device authorization, are appropriate for administrative roles.
Before You Begin
You must be in the Security Administrator role in the global zone.
If the existing profiles are not appropriate, the security administrator can create a new profile. For an example, see How to Create a Rights Profile for Convenient Authorizations.
For the step-by-step procedure, see How to Change the Security Attributes of a User in Oracle Solaris 11.1 Administration: Security Services.
The following rights profiles enable a role to allocate devices:
All Authorizations
Device Management
Media Backup
Object Label Management
Software Installation
The following rights profiles enable a role to revoke or reclaim devices:
All Authorizations
Device Management
The following rights profiles enable a role to create or configure devices:
All Authorizations
Device Security
Example 21-2 shows how to assign the authorizations.
|