293 useradd/del/mod should be ZFS-aware

[illumos-gate.git] / usr / src / man / man1m / smtnrhtp.1m

'\" te
.\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH SMTNRHTP 1M "Oct 31, 2007"
.SH NAME
smtnrhtp \- manage entries in the trusted network template database
.SH SYNOPSIS
.LP
.nf
\fB/usr/sadm/bin/smtnrhtp\fR \fIsubcommand\fR [\fIauth_args\fR] \fB--\fR [\fIsubcommand_args\fR]
.fi

.SH DESCRIPTION
.sp
.LP
The \fBsmtnrhtp\fR command adds, modifies, deletes, and lists entries in the
\fBtnrhtp\fR database.
.sp
.LP
\fBsmtnrhtp\fR \fIsubcommand\fRs are:
.sp
.ne 2
.na
\fB\fBadd\fR\fR
.ad
.RS 10n
Adds a new entry to the \fBtnrhtp\fR database. To add an entry, the
administrator must have the \fBsolaris.network.security.read\fR and
\fBsolaris.network.security.write\fR authorizations.
.RE

.sp
.ne 2
.na
\fB\fBmodify\fR\fR
.ad
.RS 10n
Modifies an entry in the \fBtnrhtp\fR database. To modify an entry, the
administrator must have the \fBsolaris.network.security.read\fR and
\fBsolaris.network.security.write\fR authorizations.
.RE

.sp
.ne 2
.na
\fB\fBdelete\fR\fR
.ad
.RS 10n
Deletes an entry from \fBtnrhtp\fR database. To delete an entry, the
administrator must have the \fBsolaris.network.security.read\fR and
\fBsolaris.network.security.write\fR authorizations.
.RE

.sp
.ne 2
.na
\fB\fBlist\fR\fR
.ad
.RS 10n
Lists entries in the \fBtnrhtp\fR database. To list an entry, the administrator
must have the \fBsolaris.network.security.read\fR authorizations.
.RE

.SH OPTIONS
.sp
.LP
The \fBsmtnrhtp\fR authentication arguments, \fIauth_args\fR, are derived from
the \fBsmc\fR argument set and are the same regardless of which subcommand you
use. The \fBsmtnrhtp\fR command requires the Solaris Management Console to be
initialized for the command to succeed (see \fBsmc\fR(1M)). After rebooting the
Solaris Management Console server, the first smc connection can time out, so
you might need to retry the command.
.sp
.LP
The subcommand-specific options, \fIsubcommand_args\fR, must be \fBpreceded\fR
by the \fB--\fR option.
.SS "\fIauth_args\fR"
.sp
.LP
The valid \fIauth_args\fR are \fB-D\fR, \fB-H\fR, \fB-l\fR, \fB-p\fR, \fB-r\fR,
and \fB-u\fR; they are all optional. If no \fIauth_args\fR are specified,
certain defaults will be assumed and the user might be prompted for additional
information, such as a password for authentication purposes. These letter
options can also be specified by their equivalent option words preceded by a
double dash. For example, you can use either \fB-D\fR or \fB--domain\fR.
.sp
.ne 2
.na
\fB\fB-D\fR | \fB--domain\fR \fIdomain\fR\fR
.ad
.sp .6
.RS 4n
Specifies the default domain that you want to manage. The syntax of
\fIdomain\fR=\fItype\fR:/\fIhost_name\fR/\fIdomain_name\fR, where \fItype\fR is
\fBdns\fR, \fBldap\fR, or \fBfile\fR; \fIhost_name\fR is the name of the
server; and \fIdomain_name\fR is the name of the domain you want to manage.
.sp
If you do not specify this option, the Solaris Management Console assumes the
\fBfile\fR default domain on whatever server you choose to manage, meaning that
changes are local to the server. Toolboxes can change the domain on a
tool-by-tool basis; this option specifies the domain for all other tools.
.RE

.sp
.ne 2
.na
\fB\fB-H\fR | \fB--hostname\fR \fIhost_name:port\fR\fR
.ad
.sp .6
.RS 4n
Specifies the \fIhost_name\fR and \fIport\fR to which you want to connect. If
you do not specify a \fIport\fR, the system connects to the default port,
\fB898\fR. If you do not specify \fIhost_name:port\fR, the Solaris Management
Console connects to the local host on port \fB898\fR.
.RE

.sp
.ne 2
.na
\fB\fB-l\fR | \fB--rolepassword\fR \fIrole_password\fR\fR
.ad
.sp .6
.RS 4n
Specifies the password for the \fIrole_name\fR. If you specify a
\fIrole_name\fR but do not specify a \fIrole_password\fR, the system prompts
you to supply a \fIrole_password\fR. Passwords specified on the command line
can be seen by any user on the system, hence this option is considered
insecure.
.RE

.sp
.ne 2
.na
\fB\fB-p\fR | \fB--password\fR \fIpassword\fR\fR
.ad
.sp .6
.RS 4n
Specifies the password for the \fIuser_name\fR. If you do not specify a
password, the system prompts you for one. Passwords specified on the command
line can be seen by any user on the system, hence this option is considered
insecure.
.RE

.sp
.ne 2
.na
\fB\fB-r\fR | \fB--rolename\fR \fIrole_name\fR\fR
.ad
.sp .6
.RS 4n
Specifies a role name for authentication. If you do not specify this option, no
role is assumed.
.RE

.sp
.ne 2
.na
\fB\fB-u\fR | \fB--username\fR \fIuser_name\fR\fR
.ad
.sp .6
.RS 4n
Specifies the user name for authentication. If you do not specify this option,
the user identity running the console process is assumed.
.RE

.sp
.ne 2
.na
\fB\fB--\fR\fR
.ad
.sp .6
.RS 4n
This option is required and must always follow the preceding options. If you do
not enter the preceding options, you must still enter the \fB--\fR option.
.RE

.SS "\fIsubcommand_args\fR"
.sp
.LP
Descriptions and other argument options that contain white spaces must be
enclosed in double quotes.
.sp
.ne 2
.na
\fB\fB-h\fR\fR
.ad
.RS 26n
Displays the command's usage statement.
.RE

.sp
.ne 2
.na
\fB\fB-n\fR \fItemplatename\fR\fR
.ad
.RS 26n
Specifies the name of the template.
.RE

.sp
.ne 2
.na
\fB\fB-t\fR \fIhosttype\fR\fR
.ad
.RS 26n
Specifies the host type of the new host. Valid values are \fBunlabeled\fR and
\fBcipso\fR. The \fBcipso\fR host type is for hosts that use CIPSO (Common IP
Security Options - Tag Type 1 only) to label packets.
.RE

.sp
.ne 2
.na
\fB\fB-x\fR \fBdoi\fR=\fIdoi-value\fR\fR
.ad
.RS 26n
Specifies the \fBDOI\fR value (the domain of interpretation). In the case of
the \fBunlabeled\fR host type, this is the domain of interpretation for the
\fBdef_label\fR.
.sp
The domain of interpretation defines the set of rules for translating between
the external or internal representation of the security attributes and their
network representation. When systems that are configured with Trusted
Extensions software have the same \fBdoi\fR, they share that set of rules. In
the case of the \fBunlabeled\fR host type, these systems also share the same
interpretation for the default attributes that are assigned to the unlabeled
templates that have that same \fBdoi\fR.
.RE

.sp
.ne 2
.na
\fB\fB-x\fR \fBmax\fR=\fImaximum-label\fR\fR
.ad
.RS 26n
Specifies the maximum label. Together with \fBmin\fR, this value specifies the
label accreditation range for the remote hosts that use this template. Values
can be a hex value or string (such as \fBadmin_high\fR).
.RE

.sp
.ne 2
.na
\fB\fB-x\fR \fBmin\fR=\fIminimum-label\fR\fR
.ad
.RS 26n
Specifies the minimum label. Together with \fBmax\fR, this value specifies the
label accreditation range for the remote hosts that use this template. For
gateway systems, \fBmin\fR and \fBmax\fR define the default range for
forwarding labeled packets. The label range for routes is typically set by
using a \fBroute\fR(1M) subcommand with the \fB-secattr\fR option. When the
label range for routes is not specified, the \fBmin\fR to \fBmax\fR range in
the security template is used. Values can be a hex value or string (such as
\fBadmin_low\fR).
.RE

.sp
.ne 2
.na
\fB\fB-x\fR \fBlabel\fR=\fIdefault-label\fR\fR
.ad
.RS 26n
Specifies the default label  to be applied to incoming data from remote hosts
that do not support these attributes. This option does not apply if
\fIhosttype\fR is \fBcipso\fR. Values can be a hex value or string (such as
\fBadmin_low\fR).
.RE

.sp
.ne 2
.na
\fB\fB-x\fR \fBslset\fR=\fIl1\fR,\fIl2\fR,\fIl3\fR,\fIl4\fR\fR
.ad
.RS 26n
Specifies a set of sensitivity labels. For gateway systems, the labels in
\fBslset\fR are used for forwarding labeled packets. \fBslset\fR is optional.
You can specify up to four label values, separated by commas. Values can be a
hex value or string (such as \fBadmin_low\fR).
.RE

.RS +4
.TP
.ie t \(bu
.el o
One of the following sets of arguments must be specified for subcommand
\fBadd\fR:
.sp
.in +2
.nf
\fB-n\fR \fItemplate name\fR (
.fi
.in -2
.sp

.RS +4
.TP
.ie t \(bu
.el o
\fB-t\fR \fBcipso\fR [ \fB-x\fR \fBdoi\fR=\fIdoi-value\fR \fB-x\fR
\fBmin\fR=\fIminimum-label\fR \fB-x\fR \fBmax\fR=\fImaximum-label\fR \fB-x\fR
\fBslset\fR=\fIl1\fR,\fIl2\fR,\fIl3\fR,\fIl4\fR ] |
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fB-t\fR unlabeled [ \fB-x\fR \fBdoi\fR=\fIdoi-value\fR \fB-x\fR
\fBmin\fR=\fIminimum-label\fR \fB-x\fR \fBmax\fR=\fImaximum-label\fR \fB-x\fR
\fBlabel\fR=\fIdefault-label\fR \fB-x\fR
\fBslset\fR=\fIl1\fR,\fIl2\fR,\fIl3\fR,\fIl4\fR ] |
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fB-h\fR
.RE
.sp
.in +2
.nf
)
.fi
.in -2
.sp

.RE
.RS +4
.TP
.ie t \(bu
.el o
One of the following sets of arguments must be specified for subcommand
\fBmodify\fR:
.sp
.in +2
.nf
\fB-n\fR \fItemplate name\fR (
.fi
.in -2
.sp

.RS +4
.TP
.ie t \(bu
.el o
\fB-t\fR \fBcipso\fR [ \fB-x\fR \fBdoi\fR=\fIdoi-value\fR \fB-x\fR
\fBmin\fR=\fIminimum-label\fR \fB-x\fR \fBmax\fR=\fImaximum-label\fR \fB-x\fR
\fBslset\fR=\fIl1\fR,\fIl2\fR,\fIl3\fR,\fIl4\fR ] |
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fB-t\fR unlabeled [ \fB-x\fR \fBdoi\fR=\fIdoi-value\fR \fB-x\fR
\fBmin\fR=\fIminimum-label\fR \fB-x\fR \fBmax\fR=\fImaximum-label\fR \fB-x\fR
\fBlabel\fR=\fIdefault-label\fR\fB-x\fR
\fBslset\fR=\fIl1\fR,\fIl2\fR,\fIl3\fR,\fIl4\fR ] |
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fB-h\fR
.RE
.sp
.in +2
.nf
)
.fi
.in -2
.sp

If the host type is changed, all options for the new host type must be
specified.
.RE
.RS +4
.TP
.ie t \(bu
.el o
One of the following sets of arguments must be specified for subcommand
\fBdelete\fR:
.sp
.in +2
.nf
\fB-n\fR \fItemplatename\fR |
\fB-h\fR
.fi
.in -2
.sp

.RE
.RS +4
.TP
.ie t \(bu
.el o
The following argument can be specified for subcommand \fBlist\fR:
.sp
.in +2
.nf
\fB-n\fR \fItemplatename\fR |
\fB-h\fR
.fi
.in -2
.sp

.RE
.SH EXAMPLES
.LP
\fBExample 1 \fRAdding a New Entry to the Network Template Database
.sp
.LP
The admin role connects to port \fB898\fR of the LDAP server and creates the
\fBunlabeled_ntk\fR entry in the \fBtnrhtp\fR database. The new template is
assigned a host type of \fBunlabeled\fR, a domain of interpretation of \fB1\fR,
minimum label of \fBpublic\fR, maximum label of \fBrestricted\fR, and a default
label of \fBneedtoknow\fR. The administrator is prompted for the admin
password.

.sp
.in +2
.nf
$ /usr/sadm/bin/smtnrhtp \e
add -D ldap:\fIdirectoryname\fR -H \fIservername\fR:898 -- \e
-n unlabeled_ntk -t unlabeled -x DOI=1 \e
-x min=public -x max=restricted -x label="need to know"
.fi
.in -2
.sp

.SH EXIT STATUS
.sp
.LP
The following exit values are returned:
.sp
.ne 2
.na
\fB\fB0\fR\fR
.ad
.RS 5n
Successful completion.
.RE

.sp
.ne 2
.na
\fB\fB1\fR\fR
.ad
.RS 5n
Invalid command syntax. A usage message displays.
.RE

.sp
.ne 2
.na
\fB\fB2\fR\fR
.ad
.RS 5n
An error occurred while executing the command. An error message displays.
.RE

.SH FILES
.sp
.LP
The following files are used by the \fBsmtnrhtp\fR command:
.sp
.ne 2
.na
\fB\fB/etc/security/tsol/tnrhtp\fR\fR
.ad
.RS 29n
Trusted network remote-host templates.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE  ATTRIBUTE VALUE
_
Interface Stability     Committed
.TE

.SH SEE ALSO
.sp
.LP
\fBsmc\fR(1M), \fBattributes\fR(5)
.SH NOTES
.sp
.LP
The functionality described on this manual page is available only if the system
is configured with Trusted Extensions.
.SH WARNINGS
.sp
.LP
Changing a template while the network is up can change the security view of an
undetermined number of hosts.
.sp
.LP
Allowing unlabeled hosts onto a Solaris Trusted Extensions network is a
security risk. To avoid compromising the rest of your network, such hosts must
be \fBtrusted\fR in the sense that the administrator is certain that these
unlabeled hosts will not be used to compromise the distributed system. These
hosts should also be physically protected to restrict access to authorized
individuals. If you cannot guarantee that an unlabeled host is physically
secure from tampering, it and similar hosts should be isolated on a separate
branch of the network.
.sp
.LP
If the security template is modified while the network is up, the changes do
not take effect immediately unless \fBtnctl\fR(1M) is used to update the
template entries. Otherwise, the changes take effect when next polled by the
trusted network daemon, \fBtnd\fR(1M). Administrators are allowed to add new
templates and modify attributes of existing templates while the network is up.