The install team creates the administrative roles (other than root) to be used at the site. The team assigns each role its rights profiles. Initial rights profiles are provided on the installation CD-ROM.
The appropriate toolbox scope for creating roles and users in a non-networked environment is this-host: Scope=Files, Policy=TSOL.
In the root role at label ADMIN_LOW
, start the Solaris Management Console if it is not running.
Select the appropriate toolbox.
Click Trusted Solaris Configuration, then click Users.
When prompted, enter the root role password.
Double-click Administrativ... (Administrative Roles).
Choose Add Administrative Role from the Action menu.
The Add Administrative Role wizard enables you to enter all values that are required for a role to work well. Values that you are not prompted to enter receive a default value. If you want to view or modify a role, double-click the role after creating it.
Create the secadmin role to be the security administrator. Use the following table as a guide when creating the role.
The secadmin password, and all passwords, should be one that is not easy to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
For all administrative roles, make the account Always Available, and do not set password expiration dates.
Tab |
Role Field |
(Recommended) Value |
---|---|---|
Role Name |
Role name |
secadmin |
Full Name |
Security Administrator |
|
|
Description |
No proprietary info here. |
|
Role ID Number |
>=100 |
|
Role shell |
Administrator's Bourne (profile shell) |
|
Create a role mailing list |
checked |
Password |
Password and confirm |
Assign a password of at least 6 alphanumeric characters. |
Rights |
Available and Granted |
Rights Security |
Home Directory |
Server |
home directory server |
Path |
/mount_path |
|
Assign Users |
Add and Delete |
This will be automatically filled in when you assign a role to a user. |
After creating the role, select it and double-click it to modify it. Use information from the following table as a guide.
Table 4-2 secadmin Values in Properties/Modify Dialog
Tab |
Role Field |
(Recommended) Value |
---|---|---|
Password |
Set password by Type in or Choose from list |
(Set in Table 4-1.) |
|
Update password by Choose from list or Type in |
|
Group |
Available Groups |
|
Trusted Solaris Attributes |
Minimum Label: Edit |
Default value is correct. |
Clearance: Edit |
Default value is correct. |
|
View: External or Internal |
The default value is External. |
|
Label: Show or Hide |
If your site is a no-label site, choose Hide. |
|
|
Lock account ... |
Default value, No, is correct. |
Audit |
Excluded and Included |
Set flags per site security policy |
Using the preceding tables as a guide, create the following three roles. Give each role a unique ID, and assign to it the correct rights profile, as shown below:
Role Name |
Granted Rights |
---|---|
admin |
System Administrator |
primaryadmin |
Primary Administrator |
oper |
Operator |
You must create the administrative roles before you create the users, since you will assign a role to each user.
The install team in the root role creates users to assume the roles secadmin, admin, and primaryadmin. Where site security policy permits, the team can choose to create one user who can assume more than one administrative role.
Double-click User Accounts in the Solaris Management Console.
Choose Add User -> Use Wizard from the Action menu.
Role and user IDs come from the same pool of IDs. Do not use existing names or IDs for the users you add.
Begin to create a user who can assume the secadmin role and use Table 4-3 to fill out the fields.
The Add User -> Use Wizard dialog boxes create most aspects of a user.
After creating the user, double-click the created user to modify some user properties.
Use Table 4-4 as a guide.
Read the (Recommended) Value columns for guidance.
Parentheses enclose suggestions. Requirements or defaults are not enclosed in parentheses.
When the install team chooses a password, the team must select one that is not easy to guess, thus reducing the chance of an attacker gaining unauthorized access by attempting to guess passwords.
Tab |
User Field |
(Recommended) Value |
---|---|---|
User Name |
User name |
|
Full name |
|
|
Description |
No proprietary info here. |
|
User ID number |
(1001 or higher) |
|
Password |
Set password by Type in or Choose from list |
Assign a password of at least 6 alphanumeric characters. |
|
Confirm | |
Group |
Primary group |
Staff |
Home directory |
Server |
home directory server |
Path |
|
|
|
Server |
|
Path |
|
For the user who can assume the secadmin role, select "Always Available" for "Account Availability" under General, below. Choose an appropriate account availability for other users.
Table 4-4 User Values in Properties/Modify Dialog
Tab |
User Field |
(Recommended) Value |
---|---|---|
General |
Shell |
|
|
Account Availability |
Always Available |
Password |
Set password by Type in or Choose from list |
(Set in Table 4-3.) |
|
Update password by Choose from list or Type in |
|
Group |
Additional Groups |
|
Roles |
Available Roles and Assigned Roles |
secadmin |
Trusted Solaris Attributes |
Minimum Label: Edit |
Default value is correct. |
Clearance: Edit |
Default value is correct. |
|
View: External or Internal |
|
|
|
Label: Show or Hide |
If your site is a no-label site, choose Hide. |
Account Usage |
Idle time |
|
Idle action |
|
|
|
Lock account ... |
No -- for any user who will assume a role. |
Rights |
Available and Granted |
Enable Login ... and see Note below. |
Audit |
Excluded and Included |
Set flags per site security policy |
Although Basic Solaris User does not appear in the Granted column, this right is assigned automatically to a user that is created using the Add User wizard. Do not assign the right explicitly.
Create and modify another user, one who can assume the admin role.
(Optional) Create and modify third and fourth users to assume the primaryadmin and oper roles, and provide them with unique IDs and appropriate Rights.
These first users should each have at least the Enable Login right -- user can enable logins after a system reboot.
After checking your site security policy, you may want to add the Convenient Authorizations right -- user can allocate devices, enable logins, print PostScript files, print without labels, remotely log in, and shut down the system.
Do not create any more users at this time. Setting up users is a two-role, trusted procedure.
See "Managing User Accounts" in Trusted Solaris Administrator's Procedures and "Managing Users and Rights With SMC" in Trusted Solaris Administrator's Procedures for details on setting up users and user files.
In a multilabel environment, users and roles are set up with a useful file, .link_files. See "Managing Initialization Files" in Trusted Solaris Administrator's Procedures for further discussion.