|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10|
Role creation in Trusted Extensions is identical to role creation in the Oracle Solaris OS. However, in Trusted Extensions, a Security Administrator role is required.This task map describes and links to the tasks that create roles and users.
You are in the root role in the global zone.
For information about the command, see the roleadd(1M) man page.
Use the following information as a guide:
Role name – secadmin
-c Local Security Officer
Do not provide proprietary information.
Assign the Information Security and User Security rights profiles.
Note - For all administrative roles, use the administrative labels for the label range, set lock_after_retries=no and do not set password expiration dates.
# roleadd -c "Local Security Officer" -d /export/home1 \ -u 110 -K profiles="Information Security,User Security" -K lock_after_retries=no \ -K idletime=5 -K idlecmd=lock \ -K min_label=ADMIN_LOW -K clearance=ADMIN_HIGH secadmin
The root account provides an initial password for the role.
# passwd -r files secadmin New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for secadmin #
Assign a password of at least 6 alphanumeric characters. The password for the Security Administrator role, and all passwords, must be difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
Possible roles include the following:
admin Role – System Administrator rights profile
oper Role – Operator rights profile
To assign the role to a local user, see Example 4-5.
You are in the root role in the global zone.
# roleadd -c "Local System Administrator" -d /export/home1 \ -u 111 -K profiles="System Administrator" -K lock_after_retries=no \ -K idletime=5 -K idlecmd=lock \ -K min_label=ADMIN_LOW -K clearance=ADMIN_HIGH sysadmin
Where site security policy permits, you can choose to create a user who can assume more than one administrative role.
For secure user creation, the System Administrator role creates the user, and the Security Administrator role assigns security-relevant attributes, such as a password.
You must in the root role or in the Security Administrator role. The Security Administrator role has the least amount of privilege that is required for user creation.
The System Administrator performs this step.
Do not place proprietary information in the comment.
# useradd -c Second User -u 1201 -d /home/jdoe jdoe
The Security Administrator performs this step.
Note - For users who can assume roles, turn off account locking, and do not set password expiration dates.
# usermod -K lock_after_retries=no -K idletime=5 -K idlecmd=lock jdoe
Note - When the initial setup team chooses a password, the team must select a password that is difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
# usermod -R oper jdoe
After checking your site security policy, you might want to grant your first users the Convenient Authorizations rights profile. With this profile, users can allocate devices, print PostScript files, print without labels, remotely log in, and shut down the system. To create the profile, see How to Create a Rights Profile for Convenient Authorizations.
On a multilevel system, users and roles can be set up with files that list user initialization files to be copied or linked to other labels. For more information, see .copy_files and .link_files Files.
Example 4-5 Using the useradd Command to Create a Local User
This user is going to have a label range that is wider than the default label range. So, the root role determines the hexadecimal format of the user's minimum label and clearance label.
# atohexlabel public 0x0002-08-08 # atohexlabel -c "confidential restricted" 0x0004-08-78
Next, the root role consults Table 1-2, and then creates the user.
# useradd -c "Local user for Security Admin" -d /export/home1 \ -K idletime=10 -K idlecmd=logout -K lock_after_retries=no -K min_label=0x0002-08-08 -K clearance=0x0004-08-78 jandoe
Then, the root role assigns an initial password.
# passwd -r files jandoe New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for jandoe #
Finally, the root role adds the Security Administrator role to the user's definition. The role was created in Create the Security Administrator Role in Trusted Extensions.
# usermod -R secadmin jandoe
To verify each role, assume the role. Then, perform tasks that only that role can perform.
If you have configured DNS or routing, you must reboot after you create the roles and before you verify that the roles work.
In the following trusted stripe, the user name is tester.
The System Administrator role should be able to modify non-security relevant properties, such as the home directory.
The Security Administrator role should be able to modify all properties of a user.
When the host is rebooted, the association between the devices and the underlying storage must be re-established.
You have created at least one labeled zone. That zone is not being used for cloning.
# svcs zones STATE STIME FMRI offline - svc:/system/zones:default
# svcadm restart svc:/system/zones:default
Regular users can now log in. Their session is in a labeled zone.