|[ Team LiB ]|
The Solaris 9 Operating Environment provides a device allocation method that fulfills the Trusted Computer System Evaluation Criteria (TCSEC) object-reuse requirement for computing systems at level C2 and above.
The device allocation mechanism prevents simultaneous access to a device, prevents one user from reading media being written to the device by another user, and prevents one user from accessing any information from the device or driver internal storage after another user is finished with the device.
For example, several users often share a single tape drive that may not be located at an individual user's location. If the tape drive is located remotely, some time can elapse between the time the user loads a tape in the drive and the time the user invokes a command to access the tape in the drive. Because other users could access the drive while the tape is unattended, another user could access or overwrite the data on the tape. With the device allocation mechanism, you can ensure that one user at a time has access to a specific tape device.
Use the commands described in Table 56 to manage device allocation.
NOTE. The device allocation commands are available only if the Basic Security Module (BSM) has been enabled.
The basic security module (BSM) is the Sun Microsystem implementation of C2 security. It provides an auditing capability with self-contained audit records that contain all the relevant information about an event. For example, an audit record describing a file event contains the absolute path name and a time stamp and date stamp of the opening or closing of the file.
Use the bsmconv command as root to enable BSM.
NOTE. The bsmconv command adds a line to /etc/system that disables the ability to abort the system with the Stop-A keyboard sequence. If you want to retain that ability, you must comment out the following line in the /etc/system file after you run the bsmconv command.
set abort_enable = 0
Use the following procedure to enable BSM.
The following example uses the bsmconv command to enable the basic security model and uses the telinit 6 command to reboot the system.
# /etc/security/bsmconv This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? [y/n] y bsmconv: INFO: checking startup file. bsmconv: INFO: move aside /etc/rc2.d/S92volmgt. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation files. The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled. # telinit 6
If you no longer require BSM, you can disable it with the bsmconv command. Use the following steps to disable BSM and remove the BSM entry from the /etc/system file.
The following example uses the bsmunconv command to disable the basic security model.
# /etc/security/bsmunconv This script is used to disable the Basic Security Module (BSM). Shall we continue the reversion to a non-BSM system now? [y/n] y bsmunconv: INFO: moving aside /etc/security/audit_startup. bsmunconv: INFO: restore /etc/rc2.d/S92volmgt. bsmunconv: INFO: removing c2audit:audit_load from /etc/system. The Basic Security Module has been disabled. Reboot this system now to come up without BSM. # telinit 6
Listing Device Information
You can access information about allocatable devices with the list_devices command.
Table 57 lists the options to the list_devices command.
The following example shows the long listing for the list_devices command.
mopoke% list_devices -l device: audio type: audio files: /dev/audio /dev/audioctl /dev/sound/0 /dev/sound/0ctl device: fd0 type: fd files: /dev/diskette /dev/rdiskette /dev/fd0a /dev/rfd0a /dev/fd0 /dev/fd0b /dev/rfd0b /dev/fd0c /dev/rfd0c /dev/rfd0 device: sr0 type: sr files: /dev/sr0 /dev/rsr0 /dev/dsk/c1t1d0s0 /dev/dsk/c1t1d0s1 /dev/dsk/c1t1d0s2 /dev/dsk/c1t1d0s3 /dev/dsk/c1t1d0s4 /dev/dsk/c1t1d0s5 /dev/dsk/c1t1d0s6 /dev/dsk/c1t1d0s7 /dev/rdsk/c1t1d0s0 /dev/rdsk/c1t1d0s1 /dev/rdsk/c1t1d0s2 /dev/rdsk/c1t1d0s3 /dev/rdsk/c1t1d0s4 /dev/rdsk/c1t1d0s5 /dev/rdsk/c1t1d0s6 /dev/rdsk/c1t1d0s7 mopoke%
The /etc/security/device_maps file contains access information about each physical device. Each device is represented by a one-line entry.
The default device_maps file is shown below.
mopoke% more /etc/security/device_maps audio:\ audio:\ /dev/audio /dev/audioctl /dev/sound/0 /dev/sound/0ctl:\ fd0:\ fd:\ /dev/diskette /dev/rdiskette /dev/fd0a /dev/rfd0a /dev/fd0 /dev/fd0b /de v/rfd0b /dev/fd0c /dev/rfd0c /dev/rfd0:\ sr0:\ sr:\ /dev/sr0 /dev/rsr0 /dev/dsk/c1t1d0s0 /dev/dsk/c1t1d0s1 /dev/dsk/c1t1d0s2 /dev/dsk/c1t1d0s3 /dev/dsk/c1t1d0s4 /dev/dsk/c1t1d0s5 /dev/dsk/c1t1d0s6 /dev/ds k/c1t1d0s7 /dev/rdsk/c1t1d0s0 /dev/rdsk/c1t1d0s1 /dev/rdsk/c1t1d0s2 /dev/rdsk/c1 t1d0s3 /dev/rdsk/c1t1d0s4 /dev/rdsk/c1t1d0s5 /dev/rdsk/c1t1d0s6 /dev/rdsk/c1t1d0 s7:\ mopoke%
You can use the dminfo command to report information about a device entry in the /etc/security/device_maps file.
Table 58 lists the options to the dminfo command.
The following example uses the verbose option to display all device_maps entries.
mopoke% dminfo -v audio:audio:/dev/audio /dev/audioctl /dev/sound/0 /dev/sound/0ctl: fd0:fd:/dev/diskette /dev/rdiskette /dev/fd0a /dev/rfd0a /dev/fd0 /dev/fd0b /dev/rfd0b /dev/fd0c /dev/rfd0c /dev/rfd0: sr0:sr:/dev/sr0 /dev/rsr0 /dev/dsk/c1t1d0s0 /dev/dsk/c1t1d0s1 /dev/dsk/c1t1d0s2 /dev/dsk/c1t1d0s3 /dev/dsk/c1t1d0s4 /dev/dsk/c1t1d0s5 /dev/dsk/c1t1d0s6 /dev/dsk/c1t1d0s7 /dev/rdsk/c1t1d0s0 /dev/rdsk/c1t1d0s1 /dev/rdsk/c1t1d0s2 /dev/rdsk/c1t1d0s3 /dev/rdsk/c1t1d0s4 /dev/rdsk/c1t1d0s5 /dev/rdsk/c1t1d0s6 /dev/rdsk/c1t1d0s7: mopoke%
Allocating a Device
Use the allocate command to allocate a device.
Table 59 lists the options to the allocate command.
The following example allocates a tape drive.
mopoke% allocate st0 mopoke%
The following example allocates audio files by type.;
mopoke% allocate -g audio files mopoke%
Deallocating a Device
Use the deallocate command to deallocate a device allocated to the evoking user.
Table 60 lists the options to the deallocate command.
The following example deallocates the st0 device.
mopoke% deallocate st0 mopoke%
|[ Team LiB ]|