test

Trusted Solaris Installation and Configuration

Creating Roles and Users

The install team creates the administrative roles (other than root) to be used at the site. The team assigns each role its rights profiles. Initial rights profiles are provided on the installation CD-ROM.

The appropriate toolbox scope for creating roles and users in a non-networked environment is this-host: Scope=Files, Policy=TSOL.

Create Administrative Roles

  1. In the root role at label ADMIN_LOW, start the Solaris Management Console if it is not running.

  2. Select the appropriate toolbox.

  3. Click Trusted Solaris Configuration, then click Users.

  4. When prompted, enter the root role password.

  5. Double-click Administrativ... (Administrative Roles).

  6. Choose Add Administrative Role from the Action menu.

    The Add Administrative Role wizard enables you to enter all values that are required for a role to work well. Values that you are not prompted to enter receive a default value. If you want to view or modify a role, double-click the role after creating it.

  7. Create the secadmin role to be the security administrator. Use the following table as a guide when creating the role.

    The secadmin password, and all passwords, should be one that is not easy to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.

    Note -

    For all administrative roles, make the account Always Available, and do not set password expiration dates.

    Table 4-1 secadmin Values in Add Role Dialog

    Tab 

    Role Field 

    (Recommended) Value 

    Role Name 

    Role name 

    secadmin 

    Full Name 

    Security Administrator 

     

    Description 

    No proprietary info here. 

     

    Role ID Number 

    >=100 

     

    Role shell 

    Administrator's Bourne (profile shell) 

     

    Create a role mailing list 

    checked 

    Password 

    Password and confirm 

    Assign a password of at least 6 alphanumeric characters. 

    Rights 

    Available and Granted 

    Information Security

    Rights Security 

    Home Directory 

    Server 

    home directory server

    Path 

    /mount_path

    Assign Users 

    Add and Delete 

    This will be automatically filled in when you assign a role to a user. 

  8. After creating the role, select it and double-click it to modify it. Use information from the following table as a guide.

    Table 4-2 secadmin Values in Properties/Modify Dialog

    Tab 

    Role Field 

    (Recommended) Value 

    Password 

    Set password by Type in or Choose from list 

    (Set in Table 4-1.)

     

    Update password by Choose from list or Type in 

     

    Group 

    Available Groups 

     

    Trusted Solaris Attributes 

    Minimum Label: Edit 

    Default value is correct. 

    Clearance: Edit 

    Default value is correct. 

    View: External or Internal 

    The default value is External. 

    Label: Show or Hide 

    If your site is a no-label site, choose Hide. 

     

    Lock account ... 

    Default value, No, is correct. 

    Audit 

    Excluded and Included 

    Set flags per site security policy 

  9. Using the preceding tables as a guide, create the following three roles. Give each role a unique ID, and assign to it the correct rights profile, as shown below:

    Role Name 

    Granted Rights 

    admin 

    System Administrator 

    primaryadmin 

    Primary Administrator 

    oper 

    Operator 

    Caution - Caution -

    You must create the administrative roles before you create the users, since you will assign a role to each user.

Create Users Who Will Assume Roles

The install team in the root role creates users to assume the roles secadmin, admin, and primaryadmin. Where site security policy permits, the team can choose to create one user who can assume more than one administrative role.

  1. Double-click User Accounts in the Solaris Management Console.

  2. Choose Add User -> Use Wizard from the Action menu.

    Caution - Caution -

    Role and user IDs come from the same pool of IDs. Do not use existing names or IDs for the users you add.

  3. Begin to create a user who can assume the secadmin role and use Table 4-3 to fill out the fields.

    The Add User -> Use Wizard dialog boxes create most aspects of a user.

  4. After creating the user, double-click the created user to modify some user properties.

    Use Table 4-4 as a guide.

  5. Read the (Recommended) Value columns for guidance.

    Parentheses enclose suggestions. Requirements or defaults are not enclosed in parentheses.

    Note -

    When the install team chooses a password, the team must select one that is not easy to guess, thus reducing the chance of an attacker gaining unauthorized access by attempting to guess passwords.

    Table 4-3 User Values in Add User Dialog

    Tab 

    User Field 

    (Recommended) Value 

    User Name 

    User name 

     

    Full name 

     

    Description 

    No proprietary info here. 

    User ID number 

    (1001 or higher) 

    Password 

    Set password by Type in or Choose from list 

    Assign a password of at least 6 alphanumeric characters. 

     

    Confirm 

    		 

    Group 

    Primary group 

    Staff 

    Home directory 

    Server 

    home directory server

    Path 

     

    Mail 

    Server 

     

    Path 

     

    For the user who can assume the secadmin role, select "Always Available" for "Account Availability" under General, below. Choose an appropriate account availability for other users.

    Table 4-4 User Values in Properties/Modify Dialog

    Tab 

    User Field 

    (Recommended) Value 

    General 

    Shell 

     

     

    Account Availability 

    Always Available 

    Password 

    Set password by Type in or Choose from list 

    (Set in Table 4-3.)

     

    Update password by Choose from list or Type in 

     

    Group 

    Additional Groups 

     

    Roles 

    Available Roles and Assigned Roles 

    secadmin 

    Trusted Solaris Attributes 

    Minimum Label: Edit 

    Default value is correct. 

    Clearance: Edit 

    Default value is correct. 

    View: External or Internal 

     

     

    Label: Show or Hide 

    If your site is a no-label site, choose Hide. 

    Account Usage 

    Idle time 

     

    Idle action 

     

     

    Lock account ... 

    No -- for any user who will assume a role. 

    Rights 

    Available and Granted 

    Enable Login ... and see Note below. 

    Audit 

    Excluded and Included 

    Set flags per site security policy 

    Note -

    Although Basic Solaris User does not appear in the Granted column, this right is assigned automatically to a user that is created using the Add User wizard. Do not assign the right explicitly.

  6. Create and modify another user, one who can assume the admin role.

  7. (Optional) Create and modify third and fourth users to assume the primaryadmin and oper roles, and provide them with unique IDs and appropriate Rights.

    These first users should each have at least the Enable Login right -- user can enable logins after a system reboot.

    After checking your site security policy, you may want to add the Convenient Authorizations right -- user can allocate devices, enable logins, print PostScript files, print without labels, remotely log in, and shut down the system.

    Note -

    Do not create any more users at this time. Setting up users is a two-role, trusted procedure.

    See "Managing User Accounts" in Trusted Solaris Administrator's Procedures and "Managing Users and Rights With SMC" in Trusted Solaris Administrator's Procedures for details on setting up users and user files.

    In a multilabel environment, users and roles are set up with a useful file, .link_files. See "Managing Initialization Files" in Trusted Solaris Administrator's Procedures for further discussion.