Dave's Bit Bucket

Sunday September 02, 2007

TX-Ranger, config script v1.0

Jeff's come up with v1.0 of the goods, bless him :-)

This hasn't been posted to opensolaris.org yet, on the grounds that it doesn't quite work correctly with the SXDE / Nevada releases; however, it works just fine with Solaris 10 11/06 (aka Update 3), which is the current version of the production code.

So, if you want to do a simple automated build of Trusted Extensions specifically on Solaris 10 11/06 and with the default label_encodings file, do the following:

assume root in the global zone
delete any non-global zones
cut and paste the script into your preferred editor
save it, chmod it to 500
run it, read the README
copy the TX packages to a suitable scratch area
let it rip :-)

Here's the code.

Caveat emptor: I've done my best to format the code as HTML, as I have yet to figure out how to post downloadable files to blogs.sun.com, but if you find a formatting error, please let me know ASAP.

Jeff has Done The Right Thing regarding formatting and indentation, and I can only apologise to him if this doesn't come across properly as a result of my lack of skill in HTML formatting.

NB. If you find a problem with the script as reproduced below, please report it to me, initially.

#!/bin/ksh
# Korn shell script to automate the creation of a demonstration environment
# that can be used to demonstrate Solaris 10 Trusted Extensions
# Script written by: Jeff Turner, Context-Switch Limited
# ( Jeff [dot] Turner [at] Context-Switch [dot] com )
# Version: A.0
# Creation Date: 08/13/07
#

##################################################################
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright 2007 Context-Switch Limited. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)txranger 1.0 07/08/13"
#
##################################################################

# This script provides a simple TUI for managing labeled zones.
# It takes no arguments, but provides contextual menus which
# provide appropriate choices. It must be run in the global
# zone as root.
#
# To read the README text, invoke the program and select option 'r'
#

###########START OF PROGRAM######################################

# GLOBAL VARIABLES and SETTINGS
BON="$(tput smso)" export BON # char-sequence to turn reverse text display on
BOF="$(tput rmso)" export BOF # char-sequence to turn reverse text display off
CLR="$(tput clear)" export CLR # char-sequence to clear the screen display
CURR_DIR=${PWD} export CURR_DIR
PACKAGE_DIR=/tx/Trusted_Extensions/Packages export PACKAGE_DIR

LIST1=" SUNWtsg SUNWtsu SUNWtsr SUNWtsmc SUNWxwts SUNWdttsr SUNWtgnome-docs"
LIST2=" SUNWtgnome-tsol-libs SUNWtgnome-tsol-libs-devel SUNWtgnome-tsoljdsdevmgr SUNWtgnome-tsoljdslabel"
LIST3=" SUNWtgnome-tsoljdsselmgr SUNWtgnome-tstripe SUNWtgnome-xagent SUNWmgts SUNWjdtts SUNWjmgts SUNWjtsu"
LIST4=" SUNWkdtts SUNWkmgts SUNWktsu SUNWodtts SUNWdttshelp SUNWdttsu SUNWtsman SUNWjtsman"
LIST5=" SUNWtgnome-l10n-doc-ja SUNWtgnome-l10n-doc-ko SUNWtgnome-l10n-ui-de SUNWtgnome-l10n-ui-es"
LIST6=" SUNWtgnome-l10n-ui-fr SUNWtgnome-l10n-ui-it SUNWtgnome-l10n-ui-ja SUNWtgnome-l10n-ui-ko"
LIST7=" SUNWtgnome-l10n-ui-ptBR SUNWtgnome-l10n-ui-ru SUNWtgnome-l10n-ui-sv SUNWtgnome-l10n-ui-zhCN"
LIST8=" SUNWtgnome-l10n-ui-zhHK SUNWtgnome-l10n-ui-zhTW"
PACKAGE_LIST="${LIST1} ${LIST2} ${LIST3} ${LIST4} ${LIST5} ${LIST6} ${LIST7} ${LIST8}"

RLST1=" SUNWtgnome-l10n-ui-zhTW SUNWtgnome-l10n-ui-zhHK SUNWtgnome-l10n-ui-zhCN SUNWtgnome-l10n-ui-sv"
RLST2=" SUNWtgnome-l10n-ui-ru SUNWtgnome-l10n-ui-ptBR SUNWtgnome-l10n-ui-ko SUNWtgnome-l10n-ui-ja"
RLST3=" SUNWtgnome-l10n-ui-it SUNWtgnome-l10n-ui-fr SUNWtgnome-l10n-ui-es SUNWtgnome-l10n-ui-de"
RLST4=" SUNWtgnome-l10n-doc-ko SUNWtgnome-l10n-doc-ja SUNWjtsman SUNWtsman SUNWdttsu SUNWdttshelp"
RLST5=" SUNWodtts SUNWktsu SUNWkmgts SUNWkdtts SUNWjtsu SUNWjmgts SUNWjdtts SUNWmgts SUNWtgnome-xagent"
RLST6=" SUNWtgnome-tstripe SUNWtgnome-tsoljdsselmgr SUNWtgnome-tsoljdslabel SUNWtgnome-tsoljdsdevmgr"
RLST7=" SUNWtgnome-tsol-libs-devel SUNWtgnome-tsol-libs SUNWtgnome-docs SUNWdttsr SUNWxwts SUNWtsmc"
RLST8=" SUNWtsr SUNWtsu SUNWtsg"
PACKAGE_RM="${RLST1} ${RLST2} ${RLST3} ${RLST4} ${RLST5} ${RLST6} ${RLST7} ${RLST8}"

stty intr # Interrupt set to Control-C

# GLOBAL FUNCTIONS
function screenhead
{
echo "${CLR}\n\t${BON} Trusted Extensions - txranger ${BOF}\n"
echo " This program allows you to install or remove"
echo " the Trusted Extensions demo environment.\n"
echo " Primary Network Port: ${NETPORT}"
echo " Nodename is: ${NODENAME}"
echo " Original IP address: ${IPADDR}"
echo " IPAddr will be set to: 10.1.70.${OCTE
T}" echo " Interrupt is set to: ^C"
echo " TX Source directory: ${PACKAGE_DIR}"
echo "\n\n"
}

function holder
{
echo "\nPress ${BON}RETURN${BOF} to continue:\c"
read PRESSRETN
}

####################### BODY OF SCRIPT ######

# Validate that this is running on a Solaris 10 (or Nevada) system
which zonename > /dev/null 2>&1
if [[ $? != 0 ]]
then
echo "${CLR}ERROR\a"
echo "This is not a Solaris 10 compatible system."
echo "Exiting now."
exit 1
else
THISZONE=$(zonename)
if [[ "${THISZONE}" != "global" || "${LOGNAME}" != "root" ]]
then
echo "${CLR}ERROR\a"
echo "This script must be executed in the global zone by the root user"
echo "Exiting now."
exit 1
fi
fi

# If we get to here, we are OK to execute

# Determine the nodename of this host and the primary network port in use.
NODENAME=$(cat /etc/nodename) export NODENAME
NODENAME="${NODENAME%%.*}" export NODENAME
STATUS=1 export STATUS

for CHECKFILE in /etc/hostname.*[0-9]
do
grep "${NODENAME}" "${CHECKFILE}" > /dev/null && STATUS=0

if (( STATUS == 0 ))
then
NETPORT="${CHECKFILE##*.}" export NETPORT IPADDR=$(nawk "/${NODENAME}/ {print \$1}" /etc/inet/ipnodes) export IPADDR
OCTET="${IPADDR##*.}" export OCTET
break
fi
done

while true
do
screenhead # call function

echo "Before you install, you are recommended to ${BON}read the Readme${BOF} document\n"
echo "Do you want to (I)nstall or (U)ninstall the Trusted Extensions(TX) Demo"
echo "Read the (R)eadme doc or (Q)uit from this program?\n"
echo "Please enter your choice (i/q/r/u): [ ]\b\b\c"
read CHOICE other
case "${CHOICE}" in

[iI]*) # Install was selected
STEP=I export STEP
break ;;

[Qq]*) # Quit was selected
echo "Quitting the program now..." ; sleep 2
exit 0 ;;

[rR]*) # Read the README doc
STEP=R
break ;;

[uU]*) # Unintsall was selected
STEP=U export STEP
break ;;

*) # Not a valid choice
echo "\aPlease enter the letter (as shown in the menu) associated with your
choice!\n"
holder # call the function
;;

esac
done

###################INSTALL PHASE#################
if [[ "${STEP}" == "I" ]]
then

################################
# Set the directory pathname for
# the source of the packages
################################
while true
do

screenhead # call the function

if [[ -d "${PACKAGE_DIR}" ]]
then
if [[ -d ${PACKAGE_DIR}/SUNWtsg ]]
then
break
else
PACKAGE_DIR=""
continue
fi
else
echo "The source directory for the TX packages either does not exist"
echo "or is in a different location."
echo "\n\nPlease enter the absolute pathname of the directory containing"
echo "the Trusted Extension packages. For example: ${PACKAGE_DIR}\n"
echo "Pathname is: \c"
read PATH2PACKAGES other
if [[ -d ${PATH2PACKAGES} ]]
then
PACKAGE_DIR="${PATH2PACKAGES}"
continue
else
echo "\n\aSorry. That pathname does not seem to be valid."
holder # call the function
read dummy
fi
fi
done

#################################
# Install the packages if they
# are not already installed.
#
# If they are installed, then offer
# to remove the packages.
#################################

while true
do

screenhead # call the function

pkginfo SUNWtsg > /dev/null 2>&1

if (( $? == 0 ))
then
# Packages must already be installed
echo "The Trusted Extensions packages appear to already be installed."
echo "Perhaps you should uninstall them first then run this install program again?"
exit 1
else
echo "Installing the packages on the system. Please be patient..."
sleep 2
for PKGLIST in ${PACKAGE_LIST}
do
echo "Installing package: ${PKGLIST}"
yes | pkgadd -d "${PACKAGE_DIR}" ${PKGLIST} > /dev/null
done
break
fi
done

screenhead # call the function

echo "Creating the network files now..."

###### Now create the network control files
CHECK=0
if [[ ! -f /var/tmp/txnetfiles.backup.tar ]]
then
# Make a backup of the primary network control files
echo "Backing up network port and file information"
BACKUPFILES="/etc/hostname.${NETPORT} /etc/inet/ipnodes /etc/inet/hosts /etc/inet/netmasks"
BACKUPFILES="${BACKUPFILES} /etc/inet/networks /etc/hosts /etc/netmasks /etc/networks"
BACKUPFILES="${BACKUPFILES} /etc/nodename /etc/user_attr /etc/passwd /etc/shadow"
BACKUPFILES="${BACKUPFILES} /etc/dfs/dfstab /etc/security/tsol/tn*"
tar cf /var/tmp/txnetfiles.backup.tar ${BACKUPFILES} 2>/dev/null || CHECK=1
if [[ "${CHECK}" == 1 ]]
then
echo "Error encountered during the backup of original files."
echo "Exiting now."
exit 1
fi
fi

# Now, replace with the TX-demo-compliant file
# Create network port file
echo "${NODENAME} netmask + broadcast + up \\" > /etc/hostname.${NETPORT}
echo "addif ${NODENAME}-zones all-zones up" >> /etc/hostname.${NETPORT} && STATUS=0

# Create network ipnodes file echo "#" > /etc/inet/ipnodes
echo "# Internet hosts" >> /etc/inet/ipnodes
echo "#" >> /etc/inet/ipnodes
echo "127.0.0.1 loopback localhost loghost" >> /etc/inet/ipnodes
echo "10.1.70.${OCTET} ${NODENAME} ${NODENAME}.global.zone" >> /etc/inet/ipnodes

# Create network hosts file
echo "#" > /etc/inet/hosts
echo "# Internet hosts" >> /etc/inet/hosts
echo "#" >> /etc/inet/hosts
echo "127.0.0.1 loopback localhost loghost" >> /etc/inet/hosts
echo "10.1.70.${OCTET} ${NODENAME} ${NODENAME}.global.zone" >> /etc/inet/hosts
echo "10.1.71.${OCTET} public" >> /etc/inet/hosts
echo "10.1.72.${OCTET} confidential>> /etc/inet/hosts
echo "10.1.74.${OCTET} internal" >> /etc/inet/hosts

# Update the /etc/netmasks file
echo "10.1.0.0 255.255.0.0" >> /etc/netmasks

# Create the required entries in the /etc/tsol directory
# trusted network remote-host data-base file
echo "10.1.0.0:cipso" >> /etc/security/tsol/tnrhdb

# trusted network remote-host template file>> echo "public:min_sl=0x0002-08-08;max_sl=0x0002-08-08;def_label=0x0002-08-08;doi=1;host_type=unlabeled" >> /etc/security/tsol/tnrhtp
echo "confidential:min_sl=0x0004-08-08;max_sl=0x0004-08-78;def_label=0x0002-08-08;doi=1;host_type=unlabeled" >> /etc/security/tsol/tnrhtp
echo "ntk:min_sl=0x0004-08-08;max_sl=0x0004-08-68;def_label=0x0002-08-08;doi=1;host_type=unlabeled" >> /etc/security/tsol/tnrhtp
echo "internal:min_sl=0x0004-08-08;max_sl=0x0004-08-48;def_label=0x0002-08-08;doi=1;host_type=unlabeled" >> /etc/security/tsol/tnrhtp

# trusted network zone configuration file

echo "public:0x0002-08-08:0::" >> /etc/security/tsol/tnzonecfg
echo "confidential:0x0004-08-78:0::" >> /etc/security/tsol/tnzonecfg
echo "ntk:0x0004-08-68:0::" >> /etc/security/tsol/tnzonecfg
echo "internal:0x0004-08-48:0::" >> /etc/security/tsol/tnzonecfg

#### Now, create the zones

screenhead # call the function

# Make the /zone parent directory (if it does not yet exist)
CHECKIT=0
if [[ ! -d /zone ]]
then
echo "There is ${BON}not${BOF} a /zone directory"
echo "Creating /zone now...\n"
mkdir /zone || CHECKIT=1
if [[ "${CHECKIT}" == "1" ]]
then
echo "Error encountered making /zone. Exiting Now."
echo "Run this program, again, and use the UnInstall option to clean up the system"
exit 1
fi
fi

# Create the zone configuration files
for ZONESETUP in public confidential ntk internal
do

case ${ZONESETUP} in
public) ZIPADDR=10.1.71 ;;
confidential) ZIPADDR=10.1.72 ;;
ntk) ZIPADDR=10.1.73 ;;
internal) ZIPADDR=10.1.74 ;;
esac

echo "${CLR}Creating zone config file for ${ZONESETUP}... Please wait"
ZCONFIG="create -b
set zonepath=/zone/${ZONESETUP}
set autoboot=true
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt
end
add inherit-pkg-dir
set dir=/kernel
end
add fs
set dir=/var/tsol/doors
set special=/var/tsol/doors
set type=lofs
add options ro
end
add net
set physical=${NETPORT}
set address=${ZIPADDR}.${OCTET}
end"
echo "${ZCONFIG}" > /tmp/${ZONESETUP}.config
done

# Now configure the zones
for ZONESETUP in public confidential ntk internal
do
zonecfg -z ${ZONESETUP} -f /tmp/${ZONESETUP}.config
done

set +xv

# Now install the zones
for ZONESETUP in public confidential ntk internal
do
zoneadm -z ${ZONESETUP} install
done

# Now create required files in each of the zones

for ZONESETUP in public confidential ntk internal
do

case ${ZONESETUP} in
public) ZIPADDR=10.1.71 ;;
confidential) ZIPADDR=10.1.72 ;;
ntk) ZIPADDR=10.1.73 ;;
internal) ZIPADDR=10.1.74 ;;
esac

cat > /zone/${ZONESETUP}/root/etc/default/init << EOF
#
# Copyright 1992, 1999-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)init.dfl 1.7 02/12/03 SMI"
#
# This file is /etc/default/init. /etc/TIMEZONE is a symlink to this file.
# This file looks like a shell script, but it is not. To maintain
# compatibility with old versions of /etc/TIMEZONE, some shell constructs
# (i.e., export commands) are allowed in this file, but are ignored.
#
# Lines of this file should be of the form VAR=value, where VAR is one of
# TZ, LANG, CMASK, or any of the LC_* environment variables. value may
# be enclosed in double quotes (") or single quotes (').
#
TZ=GB
CMASK=022
LC_COLLATE=en_GB.ISO8859-15
LC_CTYPE=en_GB.ISO8859-15
LC_MESSAGES=C
LC_MONETARY=en_GB.ISO8859-15
LC_NUMERIC=en_GB.ISO8859-15
LC_TIME=en_GB.ISO8859-15
EOF

# set up the ipnodes file
echo "#
# Internet host table
#
::1 localhost
127.0.0.1 localhost ${ZIPADDR}.${OCTET} ${ZONESETUP} ${ZONESETUP}.${NODENAME}.org loghost
#" > /zone/${ZONESETUP}/root/etc/inet/ipnodes

# set up the hosts file
echo "#
# Internet host table
#
::1 localhost
127.0.0.1 localhost
${ZIPADDR}.${OCTET} ${ZONESETUP} ${ZONESETUP}.${NODENAME}.org loghost
10.1.70.${OCTET} ${NODENAME} ${NODENAME}.${NODENAME}.org loghost
10.1.71.${OCTET} public
10.1.72.${OCTET} confidential
10.1.73.${OCTET} ntk
10.1.74.${OCTET} internal" > /zone/${ZONESETUP}/root/etc/inet/hosts

# set up the nsswitch.conf file
cp /zone/${ZONESETUP}/root/etc/nsswitch.files /zone/${ZONESETUP}/root/etc/nsswitch.conf

# set up the .sysidconfig.apps file
echo "/lib/svc/method/sshd
/usr/lib/cc-ccr/bin/eraseCCRRepository" > /zone/${ZONESETUP}/root/etc/.sysidconfig.apps

# set up the shadow file
# where the root user has a password of: "root"
echo "root:lySCmJ.1txm4M:6445::::::" > /zone/${ZONESETUP}/root/etc/newshadow
sed '1d' /zone/${ZONESETUP}/root/etc/shadow >> /zone/${ZONESETUP}/root/etc/newshadow
chmod u+w /zone/${ZONESETUP}/root/etc/shadow
cat /zone/${ZONESETUP}/root/etc/newshadow > /zone/${ZONESETUP}/root/etc/shadow && \ rm /zone/${ZONESETUP}/root/etc/newshadow
chmod u-w /zone/${ZONESETUP}/root/etc/shadow

# set up the nodname file
echo "${ZONESETUP}" > /zone/${ZONESETUP}/root/etc/nodename

# set up the netmasks file echo "10.1.0.0 255.255.0.0" >> /zone/${ZONESETUP}/root/etc/netmasks

# set up a sysidcfg file for the zone
echo "# The root password = root
root_password=El2UPcUnIueS6
name_service=NONE
security_policy=NONE
timeserver=localhost
system_locale=C
timezone=GB-Eire
terminal=dtterm
network_interface=vnic0 { hostname=${ZONESETUP}
ip_address=${ZIPADDR}.${OCTET}
protocol_ipv6=no
netmask=255.255.0.0
default_route=10.1.70.${OCTET} }" > /zone/${ZONESETUP}/root/etc/sysidcfg

# Configure the dfstab file for the zone
# Create a shared directory with content

mkdir -p /zone/${ZONESETUP}/root/export/sharedir
mkdir -p /zone/${ZONESETUP}/etc/dfs
echo 'share -F nfs -o rw -d "security shared directory" /export/sharedir' > /zone/${ZONESETUP}/etc/dfs/dfstab
banner "${ZONESETUP}" > /zone/${ZONESETUP}/root/export/sharedir/${ZONESETUP}_file

done

###### Now, boot up the zones to allow SMF to configure the manifest
echo "Booting zones... This could take some time... Please be patient."

for ZONESETUP in public confidential ntk internal
do
echo "\n\nBooting the zone: ${BON}${ZONESETUP}${BOF}"
echo "As this is the first boot, the SMF manifest needs to be built"
echo "Please wait. \c"
zoneadm -z ${ZONESETUP} boot
sleep 15
while true
do
echo ".\c"
ps -efZ | grep "${ZONESETUP}.*manifest.*import" >/dev/null
if (( $? != 0 ))
then
break
fi
sleep 10
done
done

###### That concludes the zone setup

##### Now for the user creation

##### Enable the NFS server service
svcadm enable nfs/server

#### Now, reboot the system

echo "\n\nThe system needs to be rebooted for the demo to take effect"
echo "Rebooting now... Please wait..."
init 6

fi
############END OF INSTALL PHASE#################

######################UNINSTALL PHASE################
if [[ "${STEP}" = "U" ]]
then
screenhead # call the function

# First, remove the Zones
zoneadm list -cv | grep 'public' > /dev/null
if (( $? == 0 ))
then
for ZNAME in public confidential ntk internal
do
echo "Halting zone: ${ZNAME}"
zoneadm -z ${ZNAME} halt
sleep 10
echo "Uninstalling zone: ${ZNAME}"
zoneadm -z ${ZNAME} uninstall -F
sleep 10
echo "Deleting zone: ${ZNAME}"
# Force the zone to be deleted to avoid user-interaction
zonecfg -z ${ZNAME} delete -F
done
else
echo "Zones are not installed. No removal required"
fi

# Now, remove the packages (should be fast if the zones do not exist)
pkginfo SUNWtsg > /dev/null 2>&1
if (( $? == 0 ))
then
echo "Removing the TX packages from the system."
# Attempt to Unregister from the Product registry first
prodreg unregister -fr -u "Solaris Trusted Extensions" -i 1 > /dev/null 2>&1
# Then remove the packages
for PKGLIST in ${PACKAGE_RM}
do
echo "Removing package: ${PKGLIST}"
yes | pkgrm ${PKGLIST}
done && echo "All packages removed."
else
echo "TX packages are not installed. No removal required"
fi

# Now, re-instate the backup files
if [[ -f /var/tmp/txnetfiles.backup.tar ]]
then
echo "Recovering backed-up files"
tar xvf /var/tmp/txnetfiles.backup.tar && \
mv /var/tmp/txnetfiles.backup.tar /var/tmp/txnetfiles.backup.tar.old else
echo "No files to recover."
fi

echo "Rebooting now..."
init 6
fi
###############END OF UNINSTALL PHASE################

###############README PHASE##########################
if [[ "${STEP}" = "R" ]]
then
more << EOF
${CLR}
The ${BON}txranger${BOF} Program
====================
${BON} *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** ${BOF}

The txranger program is intended for use on a non-production
system. You are ${BON}strongly advised${BOF} not to use this program
on a production system.

You are also advised to make a flash-archive backup of the system upon
which you wish to install this TX demo-environment. This will, therefore,
allow you to re-install the system back to its original state once
the demo-environment has been tested.

You are recommended to run this program on a system that can
easily be re-built using JumpStart, as the uninstall processes
do not, necessarily, re-set every file that may have been amended
or created during the demo-install process.

${BON} *** INFO *** INFO *** INFO *** INFO *** INFO *** INFO *** ${BOF}

The purpose of the txranger program is to install (or uninstall)
a demonstration environment in which the features of the Solaris 10
${BON}Trusted Extensions (TX)${BOF} can be tested.

The program will install the Trusted Extensions packages from a named
directory. By default, the program expects to find the individual
software packages in the ${BON}/tx/Trusted_Extensions/Packages${BOF} directory.

The program will also install four Solaris 10 Zones on the system, where
each zone will relate to a Security Classification (public, confidential,
ntk [need-to-know] and internal). The files for the Zones will be
installed in a ${BON}/zones${BOF} directory.

The program will also create or update a series of control files
related to networking and security-management. These changes
will allow the four Solaris 10 Zones and their respective classifications
to be used for testing purposes.

Finally, three user identities will be added to the system so that these
user IDs can be used to test the settings of the Trusted Extensions
environment.

In addition to installing this demo-environment, the txranger program
can be used to uninstall the demo environment.

Options are provided on the main menu screen, as shown below:

----------MAIN MENU DISPLAY-----------------------------

The ${BON}txranger${BOF} program

This program allows you to install or remove
the ${BON}Trusted Extensions${BOF} demo environment.

Primary Network Port: eri0
Nodename is: moon
Original IP address: 192.168.2.34
IPAddr will be set to: 10.1.70.34
Interrupt is set to: ^C
TX Source directory: /tx/Trusted_Extensions/Packages

Before you install, you are recommended to ${BON}read the Readme${BOF} document

Do you want to (I)nstall or (U)ninstall the Trusted Extensions(TX) Demo, Read the (R)eadme doc or (Q)uit from this program?

Please enter your choice (i/q/r/u): [ ]

--------------------------------------------------------

The information at the top of the screen shows you what the official
nodename of the system has been found to be, which primary network
port will be altered, what the current and demo-environment IP addresses
are (or will become), which key-sequence can be used to act as the
Interrupt key [which should be used with caution!] and the pathname
of the source of the Trusted Extensions software packages.

[NOTE: The package names match those as distributed with the Solaris
10 Release 3 (11/06) version of the Operating System.]

${BON}User Identities:${BOF}
----------------

Once the demo-environment has been installed and the system rebooted,
you will still be able to log in as the ${BON}root${BOF} user using
the appropriate password.

In addition, three more user identities will be available. These are:

userp1 (Classification - PUBLIC)
userc1 (Classifications - PUBLIC and CONFIDENTIAL)
useri1 (Classifications - PUBLIC, CONFIDENTIAL, Need-To-Know and INTERNAL)

In each case, the password for the user is the same as their login name.
[Yes, I know that it is not secure, but ${BON}this _IS_ a demo!${BOF}]

${BON}Testing NFS Shares:${BOF}
-------------------

The demo-environment also creates an NFS shared directory in each of
the classified Zones. The pathname that is shared is
${BON}/export/sharedir${BOF}

The IP address of the classified zone will be as follows:

10.1.71.## public zone
10.1.72.## classified zone
10.1.73.## ntk zone
10.1.74.## internal zone

where ## is the same value as the last octet value of the
demo-system's original IP address.

You may wish to try ${BON}dfshares IPaddr${BOF} when logged in to
one of the classified zone environments to see if you can see what
is being shared in a zone that is in a different classification to
your current classification.

${BON}Finally:${BOF}
--------

Context-Switch Limited are currently working on some demonstration
exercises to be used within the demo-environment.

These will be made available at this URL at some point:

http://www.context-switch.com/docs/training.htm

We hope that this demo-environment helps you understand the features
of the Solaris 10 Trusted Extensions security environment a little better.

Jeff Turner, Context-Switch Limited
http://www.Context-Switch.com
August 2007
EOF

fi
###############END OF README PHASE###################

(2007-09-02 03:48:58.0) Permalink Comments [0]