Special Notes for installing Simple System Monitoring System (SSMA) on Trusted Solaris 8
-----------------------------------------------------------------------------------------

Trusted Solaris 8 is unlike a normal Solaris or Linux operating system.  It is 
extremely secure and access to various functions and filesystems must be 
granted or they are automatically denied as a matter of course.

Before installing Simple System Monitoring System (SSMA) software on Trusted Solaris 8, create a 
'Canary Management' rights profile.

This needs to be done on both the SSMA central monitoring host as 
well as on each client to be monitored.  This can be done using SMC or manually 
by adding the following lines to /etc/security/prof_attr :

   Canary Management:::Canary commands.:help=RtSunrayMngmnt.html

The help file pointed to in the above example needs to be created or an 
existing one can be used.

On the SSMA Central monitoring host, the following line needs to be 
added to /etc/security/exec_attr :

       Canary Management:tsol:cmd:::/usr/bin/ps:privs=4,10,47,51

On each client to be monitored, add the following lines to 
/etc/security/exec_attr :

   Canary Management:tsol:cmd:::/usr/bin/ps:privs=4,10,47,51
   Canary Management:tsol:cmd:::/usr/bin/prstat:privs=4,10,11,51
   Canary Management:tsol:cmd:::/usr/sbin/traceroute:privs=36,68
   Canary Management:tsol:cmd:::/var/tmp/canary/probe/canary_wrapper.sh:privs=4,
   10,47,11,36,51,68

Note: Each entry is one line.  The Probe Directory above is the 'default' 
location and should be changed to reflect the local installation.  

Numbers reflect privileges as described in /usr/lib/tsol/locale/C/priv_name

One the above pre-work is completed, create a 'canary' role with the 'Canary 
Management' profile and assign the role to the user under whose ID SSMA
software will be running.

After the above is complete, SSMA software may be installed on the 
Trusted Solaris 8 host using the normal installation procedure.  

Once SSMA software is installed, the allowed privileges of 
executables need to be modified.

Use the following command to do this:

	tsol8% setfpriv -s -a all *

To run the SSMA client software, login as the user who will be 
running SSMA software, assume the 'canary' role and run 
canary_probe_wrapper.sh manually.

If the installation instructions above are unacceptable due to security or 
other concerns, SSMA scripts may be modified to use

	#!/bin/pfsh

as opposed to 

	#!/bin/sh

which is how SSMA software ships for ordinary Solaris and Linux 
systems.  

After making the changes recommended above, remove canary_wrapper.sh from the 
rights profile.  This will limit privileges to only those commands which need 
them, such as ps, prstat, and traceroute, and not every command that the 
SSMA script uses.

This will give a more secure installation at the cost of modifying the SSMA
software.  Either the standard recommended installation instructions or 
the alternative instructions will result in a functional Trusted Solaris 8 
installation.

All scripts can be run at ADMIN_LOW using this installation method.

Users are advised to weigh their particular site's security concerns and choose 
the installation method that best meets their requirements.


