Oracle Solaris Trusted Extensions Configuration Guide

ProcedureCreate Users Who Can Assume Roles in Trusted Extensions

To create a local user, you can use the command-line interface, as in Example 4–7, instead of the following procedure. Where site security policy permits, you can choose to create a user who can assume more than one administrative role.

For secure user creation, the System Administrator role creates the user, and the Security Administrator role assigns security-relevant attributes, such as a password.

Before You Begin

You must be superuser, in the root role, in the Security Administrator role, or in the Primary Administrator role. The Security Administrator role has the least amount of privilege that is required for user creation.

The Solaris Management Console is displayed. For details, see Create the Security Administrator Role in Trusted Extensions.

  1. Double-click User Accounts in the Solaris Management Console.

  2. From the Action menu, choose Add User -> Use Wizard.

    Caution – Caution –

    The names and IDs of roles and users come from the same pool. Do not use existing names or IDs for the users that you add.

  3. Follow the online help.

    You can also follow the procedures in How to Add a User With the Solaris Management Console’s Users Tool in System Administration Guide: Basic Administration.

  4. After creating the user, double-click the created user to modify the settings.

    Note –

    For users who can assume roles, make the user account Always Available, and do not set password expiration dates.

    Ensure that the following fields are correctly set:

    • Description – No proprietary information here.

    • Password and confirm – Assign a password of at least 6 alphanumeric characters.

      Note –

      When the initial setup team chooses a password, the team must select a password that is difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.

    • Account Availability – Always Available.

    • Trusted Extensions Attributes – Defaults are correct.

      For a single-label system where the labels must not be visible, choose Hide for Label: Show or Hide.

    • Account Usage – Set Idle time and Idle action.

      Lock account – Set to No for any user who can assume a role.

  5. Close the Solaris Management Console.

  6. Customize the user's environment.

    1. Assign convenient authorizations.

      After checking your site security policy, you might want to grant your first users the Convenient Authorizations rights profile. With this profile, you can enable users to allocate devices, print PostScriptTM files, print without labels, remotely log in, and shut down the system. To create the profile, see How to Create a Rights Profile for Convenient Authorizations in Oracle Solaris Trusted Extensions Administrator’s Procedures.

    2. Customize user initialization files.

      See Chapter 7, Managing Users, Rights, and Roles in Trusted Extensions (Tasks), in Oracle Solaris Trusted Extensions Administrator’s Procedures.

      Also see Managing Users and Rights With the Solaris Management Console (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

    3. Create multilabel copy and link files.

      On a multilabel system, users and roles can be set up with files that list user initialization files to be copied or linked to other labels. For more information, see .copy_files and .link_files Files in Oracle Solaris Trusted Extensions Administrator’s Procedures.

Example 4–7 Using the useradd Command to Create a Local User

In this example, the root user creates a local user who can assume the Security Administrator role. For details, see the useradd(1M) and atohexlabel(1M) man pages.

First, the root user determines the hexadecimal format of the user's minimum label and clearance label.

# atohexlabel public
# atohexlabel -c "confidential restricted"

Next, the root user consults Table 1–2, and then creates the user.

# useradd -c "Local user for Security Admin" -d /export/home1 \
-K  idletime=10 -K idlecmd=logout -K lock_after_retries=no
-K min_label=0x0002-08-08 -K clearance=0x0004-08-78 -K labelview=showsl jandoe

Then, the root user provides an initial password.

# passwd -r files jandoe
New Password:    <Type password>
Re-enter new Password: <Retype password>
passwd: password successfully changed for jandoe

Finally, the root user adds the Security Administrator role to the user's definition. The role was created in Create the Security Administrator Role in Trusted Extensions.

# usermod -R secadmin jandoe