JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

Handling Devices in Trusted Extensions (Task Map)

Using Devices in Trusted Extensions (Task Map)

Managing Devices in Trusted Extensions (Task Map)

How to Configure a Device in Trusted Extensions

How to Revoke or Reclaim a Device in Trusted Extensions

How to Protect Nonallocatable Devices in Trusted Extensions

How to Add a Device_Clean Script in Trusted Extensions

Customizing Device Authorizations in Trusted Extensions (Task Map)

How to Create New Device Authorizations

How to Add Site-Specific Authorizations to a Device in Trusted Extensions

How to Assign Device Authorizations

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Managing Devices in Trusted Extensions (Task Map)

The following task map describes procedures to protect devices at your site.

Task
Description
For Instructions
Set or modify device policy.
Changes the privileges that are required to access a device.
Authorize users to allocate a device.
The Security Administrator role assigns a rights profile with the Allocate Device authorization to the user.
The Security Administrator role assigns a profile with the site-specific authorizations to the user.
Configure a device.
Chooses security features to protect the device.
Revoke or reclaim a device.
Uses the Device Manager to make a device available for use.
Uses Oracle Solaris commands to make a device available or unavailable for use.
Prevent access to an allocatable device.
Provides fine–grained access control to a device.
Denies everyone access to an allocatable device.
Protect printers and frame buffers.
Ensures that nonallocatable devices are not allocatable.
Use a new device-clean script.
Places a new script in the appropriate places.

How to Configure a Device in Trusted Extensions

By default, an allocatable device has a label range from ADMIN_LOW to ADMIN_HIGH and must be allocated for use. Also, users must be authorized to allocate the device. These defaults can be changed.

The following devices can be allocated for use:

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. From the Trusted Path menu, select Allocate Device.

    The Device Manager appears.


    image:Device Manager shows the devices that are available to root. The Administration menu near the bottom left opens the Administration GUI.
  2. View the default security settings.

    Click Administration, then highlight the device. The following figure shows an audio device that is being viewed by the root role.


    image:Device Properties: audio0 dialog box shows the default security settings for an audio device allocated by root in the global zone.
  3. (Optional) Restrict the label range on the device.
    1. Set the minimum label.

      Click the Min Label button. Choose a minimum label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.

    2. Set the maximum label.

      Click the Max Label... button. Choose a maximum label from the label builder.

  4. Specify if the device can be allocated locally.

    In the Device Configuration dialog box, under For Allocations From Trusted Path, select an option from the Allocatable By list. By default, the Authorized Users option is checked. Therefore, the device is allocatable and users must be authorized.

    • To make the device nonallocatable, click No Users.

      When configuring a printer, frame buffer, or other device that must not be allocatable, select No Users.

    • To make the device allocatable, but to not require authorization, click All Users.
  5. Specify if the device can be allocated remotely.

    In the For Allocations From Non-Trusted Path section, select an option from the Allocatable By list. By default, the Same As Trusted Path option is checked.

    • To require user authorization, select Allocatable by Authorized Users.
    • To make the device nonallocatable by remote users, select No Users.
    • To make the device allocatable by anyone, select All Users.
  6. If the device is allocatable, and your site has created new device authorizations, select the appropriate authorization.

    The following dialog box shows the solaris.device.allocate authorization is required to allocate the cdrom0 device.


    image:Device Properties: audio0 dialog box shows required authorization for the device.

    To create and use site-specific device authorizations, see Customizing Device Authorizations in Trusted Extensions (Task Map).

  7. To save your changes, click OK.

How to Revoke or Reclaim a Device in Trusted Extensions

If a device is not listed in the Device Manager, it might already be allocated or it might be in an allocate error state. The system administrator can recover the device for use.

Before You Begin

You must be in the System Administrator role in the global zone. This role includes the solaris.device.revoke authorization.

  1. From the Trusted Path menu, select Allocate Device.

    In the following figure, the audio device is already allocated to a user.


    image:Device Manager shows that the audio0 device is allocated to the user at the label internal.
  2. Click the Administration button.
  3. Check the status of a device.

    Select the device name and check the State field.

    • If the State field is Allocate Error State, click the Reclaim button.
    • If the State field is Allocated, do one of the following:
      • Ask the user in the Owner field to deallocate the device.
      • Force deallocation of the device by clicking the Revoke button.
  4. Close the Device Manager.

How to Protect Nonallocatable Devices in Trusted Extensions

The No Users option in the Allocatable By section of the Device Configuration dialog box is used most often for the frame buffer and printer, which do not have to be allocated to be used.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. From the Trusted Path menu, select Allocate Device.
  2. In the Device Manager, click the Administration button.
  3. Select the new printer or frame buffer.
    1. To make the device nonallocatable, click No Users.
    2. (Optional) Restrict the label range on the device.
      1. Set the minimum label.

        Click the Min Label... button. Choose a minimum label from the label builder. For information about the label builder, see Label Builder in Trusted Extensions.

      2. Set the maximum label.

        Click the Max Label... button. Choose a maximum label from the label builder.

Example 21-1 Preventing Remote Allocation of the Audio Device

The No Users option in the Allocatable By section prevents remote users from hearing conversations around a remote system.

The security administrator configures the audio device in the Device Manager as follows:

Device Name: audio
For Allocations From: Trusted Path
Allocatable By: Authorized Users
Authorizations: solaris.device.allocate
Device Name: audio
For Allocations From: Non-Trusted Pathh
Allocatable By: No Users

How to Add a Device_Clean Script in Trusted Extensions

If no device_clean script is specified at the time a device is created, the default script, /bin/true, is used.

Before You Begin

Have ready a script that purges all usable data from the physical device and that returns 0 for success. For devices with removable media, the script attempts to eject the media if the user does not do so. The script puts the device into the allocate error state if the medium is not ejected. For details about the requirements, see the device_clean(5) man page.

You must be in the root role in the global zone.

  1. Copy the script into the /etc/security/lib directory.
  2. In the Device Properties dialog box, specify the full path to the script.
    1. Open the Device Manager.
    2. Click the Administration button.
    3. Select the name of the device, and click the Configure button.
    4. In the Clean Program field, type the full path to the script.
  3. Save your changes.