Creating Roles and Users in Trusted Extensions

Role creation in Trusted Extensions is identical to role creation in the Oracle Solaris OS. However, in Trusted Extensions, a Security Administrator role is required.

This task map describes and links to the tasks that create roles and users.

Task	Description	For Instructions
Create a security administrator role.	Creates a role to handle security-relevant tasks.	Create the Security Administrator Role in Trusted Extensions
Create a system administrator role.	Creates a role to handle system administration tasks that are not related to security.	Create a System Administrator Role
Create users to assume the administrative roles.	Creates one or more users who can assume roles.	Create Users Who Can Assume Roles in Trusted Extensions
Verify that the roles can perform their tasks.	Tests the roles in various scenarios.	Verify That the Trusted Extensions Roles Work
Enable users to log in to a labeled zone.	Starts the `zones` service so that regular users can log in.	Enable Users to Log In to a Labeled Zone

Create the Security Administrator Role in Trusted Extensions

Before You Begin

You are in the root role in the global zone.

To create the role, use the roleadd command.
For information about the command, see the roleadd(1M) man page.

Use the following information as a guide:
- Role name – secadmin
- -c Local Security Officer
  
  Do not provide proprietary information.
- -d home-directory
- -u role-UID
- -K key=value
  
  Assign the Information Security and User Security rights profiles.
  
  Note - For all administrative roles, use the administrative labels for the label range, set lock_after_retries=no and do not set password expiration dates.
```
# roleadd -c "Local Security Officer" -d /export/home1 \
-u 110 -K profiles="Information Security,User Security" -K lock_after_retries=no \
-K idletime=5 -K idlecmd=lock \
-K min_label=ADMIN_LOW -K clearance=ADMIN_HIGH secadmin
```
The root account provides an initial password for the role.
```
# passwd -r files secadmin
New Password:        <Type password>
Re-enter new Password: <Retype password>
passwd: password successfully changed for secadmin
#
```
Assign a password of at least 6 alphanumeric characters. The password for the Security Administrator role, and all passwords, must be difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
Use the Security Administrator role as a guide when you create other roles.
Possible roles include the following:
- admin Role – System Administrator rights profile
- oper Role – Operator rights profile

Next Steps

To assign the role to a local user, see Example 4-5.

Create a System Administrator Role

Before You Begin

You are in the root role in the global zone.

Assign the System Administrator rights profile to a role that you create.

# roleadd -c "Local System Administrator" -d /export/home1 \
-u 111 -K profiles="System Administrator" -K lock_after_retries=no \
-K idletime=5 -K idlecmd=lock \
-K min_label=ADMIN_LOW -K clearance=ADMIN_HIGH sysadmin

Create Users Who Can Assume Roles in Trusted Extensions

Where site security policy permits, you can choose to create a user who can assume more than one administrative role.

For secure user creation, the System Administrator role creates the user, and the Security Administrator role assigns security-relevant attributes, such as a password.

Before You Begin

You must in the root role or in the Security Administrator role. The Security Administrator role has the least amount of privilege that is required for user creation.

Create a user.
The System Administrator performs this step.
Do not place proprietary information in the comment.
```
# useradd -c Second User -u 1201 -d /home/jdoe jdoe
```
After creating the user, modify the user's security attributes.
The Security Administrator performs this step.

Note - For users who can assume roles, turn off account locking, and do not set password expiration dates.
```
# usermod -K lock_after_retries=no -K idletime=5 -K idlecmd=lock jdoe
```
Assign a password of at least 6 alphanumeric characters.
Note - When the initial setup team chooses a password, the team must select a password that is difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
Assign a role to the user.
```
# usermod -R oper jdoe
```
Customize the user's environment.
1. Assign convenient authorizations.
  After checking your site security policy, you might want to grant your first users the Convenient Authorizations rights profile. With this profile, users can allocate devices, print PostScript files, print without labels, remotely log in, and shut down the system. To create the profile, see How to Create a Rights Profile for Convenient Authorizations.
2. Customize user initialization files.
  See Chapter 13, Managing Users, Rights, and Roles in Trusted Extensions (Tasks). Also see Managing Users and Rights (Task Map).
3. Create multilevel copy and link files.
  On a multilevel system, users and roles can be set up with files that list user initialization files to be copied or linked to other labels. For more information, see .copy_files and .link_files Files.

Example 4-5 Using the useradd Command to Create a Local User

In this example, the root role creates a local user who can assume the Security Administrator role. For details, see the useradd(1M) and atohexlabel(1M) man pages.

This user is going to have a label range that is wider than the default label range. So, the root role determines the hexadecimal format of the user's minimum label and clearance label.

# atohexlabel public
0x0002-08-08
# atohexlabel -c "confidential restricted"
0x0004-08-78

Next, the root role consults Table 1-2, and then creates the user.

# useradd -c "Local user for Security Admin" -d /export/home1 \
-K idletime=10 -K idlecmd=logout -K lock_after_retries=no
-K min_label=0x0002-08-08 -K clearance=0x0004-08-78 jandoe

Then, the root role assigns an initial password.

# passwd -r files jandoe
New Password:    <Type password>
Re-enter new Password: <Retype password>
passwd: password successfully changed for jandoe
#

Finally, the root role adds the Security Administrator role to the user's definition. The role was created in Create the Security Administrator Role in Trusted Extensions.

# usermod -R secadmin jandoe

Verify That the Trusted Extensions Roles Work

To verify each role, assume the role. Then, perform tasks that only that role can perform.

Before You Begin

If you have configured DNS or routing, you must reboot after you create the roles and before you verify that the roles work.

For each role, log in as a user who can assume the role.
Open the Trusted Path menu.
In the following trusted stripe, the user name is tester.
1. Click your user name in the trusted stripe.
2. From the list of roles that are assigned to you, select a role.
Test the role.
- The System Administrator role should be able to modify non-security relevant properties, such as the home directory.
- The Security Administrator role should be able to modify all properties of a user.

Enable Users to Log In to a Labeled Zone

When the host is rebooted, the association between the devices and the underlying storage must be re-established.

Before You Begin

You have created at least one labeled zone. That zone is not being used for cloning.

Reboot the system.
Log in as the root user.

Restart the zones service.

# svcs zones
STATE          STIME    FMRI
offline        -        svc:/system/zones:default

# svcadm restart svc:/system/zones:default

Log out.
Regular users can now log in. Their session is in a labeled zone.

Skip Navigation Links
Exit Print View
	Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10