[Return to Library] [Contents] [Previous Chapter] [Next Section] [Next Chapter] [Index] [Help]

8    Creating and Modifying Secure Devices

The ISSO is traditionally responsible for assigning the devices that are included in the system's trusted computing base (TCB) and for defining the security characteristics of those devices. On a Digital UNIX system root access is required to assign devices. The trusted Digital UNIX system currently supports terminals as part of the TCB. This chapter describes how to define those devices to a secure system.

[Return to Library] [Contents] [Previous Chapter] [Next Section] [Next Chapter] [Index] [Help]

8.1    Defining Security Characteristics

The ISSO traditionally defines the security characteristics of all the terminals that are part of the system using the dxdevices program. To do this, the ISSO performs the following tasks:

The ISSO is usually responsible for ensuring that all device assignments, whether they are set explicitly or by default, conform to a site's security requirements.

Before you create or modify a secure device, all of the typical device installation procedures required during ordinary system hardware and software installation must be completed. The special files for devices must exist in the /dev directory and have the appropriate permissions. The special files for terminals must be owned by root, have the group set to tty, and have the mode set to 0620.

You can verify that the installation has been completed with the ls command. The following example is typical:

ls -lg /dev/tty*
crw----------  1  root   tty  0,  2 Aug 15 09:29 /dev/tty00
crw----------  1  root   tty  0,  3 Aug 15 09:29 /dev/tty01

[Return to Library] [Contents] [Previous Chapter] [Previous Section] [Next Section] [Next Chapter] [Index] [Help]

8.1.1    Modifying, Adding, and Removing Devices with the dxdevices Program

Using the Devices dialog box, select the Modify/Create dialog box then the Select devices dialog box. To add or remove a device, first select or enter the device, then click on File to make the required changes. To modify a device, first select the device, then click on Modify to make the required changes. See the online help for dxdevices for more information.

[Return to Library] [Contents] [Previous Chapter] [Previous Section] [Next Section] [Next Chapter] [Index] [Help]

8.1.2    Setting Default Values with the dxdevices Program

Using the Devices dialog box, select the Defaults dialog box. Set the system defaults for all of your terminals as required. A terminal uses these defaults unless specifically overridden by settings in the Modify Terminal dialog box. See the online help for dxdevices for more information.

[Return to Library] [Contents] [Previous Chapter] [Previous Section] [Next Chapter] [Index] [Help]

8.2    Updating Security Databases

When you assign device defaults or device-specific parameters, the system updates the following security databases:

Each device to be used in your secure configuration must have an entry in the device assignment database. This database centralizes information about the security characteristics of all system devices. It includes the device pathname and type. By default a wildcard entry exists for terminals (but not X displays) in the /etc/auth/system/ttys.db and /etc/auth/system/devassign databases.

The X display entries shipped on the system have :t_login_timeout#0: entries in them, in case a site changes its system default login timeout. If wildcard X display entries are needed, they can be created as follows:

echo \
 \'*\:*:t_devname=*\:*:t_login_timeout#0:t_xdisplay:chkent:\' \
                                       | /tcb/bin/edauth -s -dt
echo \'*\:*:v_type=xdisplay:chkent:\' | /tcb/bin/edauth -s -dv

.dms