Oracle Solaris Trusted Extensions Configuration Guide

ProcedureCreate the Security Administrator Role in Trusted Extensions

Role creation in Trusted Extensions is identical to role creation in the Solaris OS. However, in Trusted Extensions, a Security Administrator role is required. To create a local Security Administrator role, you can also use the command-line interface, as in Example 4–6.

Before You Begin

You must be superuser, in the root role, or in the Primary Administrator role.

To create the role on the network, you must have completed Configuring the Solaris Management Console for LDAP (Task Map).

  1. Start the Solaris Management Console.

    # /usr/sbin/smc &
  2. Select the appropriate toolbox.

    • To create the role locally, use This Computer (this-host: Scope=Files, Policy=TSOL).

    • To create the role in the LDAP service, use This Computer (ldap-server: Scope=LDAP, Policy=TSOL).

  3. Click System Configuration, then click Users.

    You are prompted for your password.

  4. Type the appropriate password.

  5. Double-click Administrative Roles.

  6. From the Action menu, choose Add Administrative Role.

  7. Create the Security Administrator role.

    Use the following information as a guide:

    • Role name – secadmin

    • Full name – Security Administrator

    • Description – Site Security Officer No proprietary information here.

    • Role ID Number – ≥100

    • Role shell – Administrator's Bourne (profile shell)

    • Create a role mailing list – Leave the checkbox selected.

    • Password and confirm – Assign a password of at least 6 alphanumeric characters.

      The password for the Security Administrator role, and all passwords, must be difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.

      Note –

      For all administrative roles, make the account Always Available, and do not set password expiration dates.

    • Available and Granted Rights – Information Security, User Security

      • If site security does not require separation of duty, select the Information Security and the default User Security rights profiles.

      • If site security requires separation of duty, select the Information Security and the Custom User Security rights profiles.

    • Home Directory Server – home-directory-server

    • Home Directory Path – /mount-path

    • Assign Users– This field is automatically filled in when you assign a role to a user.

  8. After creating the role, check that the settings are correct.

    Select the role, then double-click it.

    Review the values in the following fields:

    • Available Groups – Add groups if required.

    • Trusted Extensions Attributes – Defaults are correct.

      For a single-label system where the labels must not be visible, choose Hide for Label: Show or Hide.

    • Audit Excluded and Included – Set audit flags only if the role's audit flags are exceptions to the system settings in the audit_control file.

  9. To create other roles, use the Security Administrator role as a guide.

    For examples, see How to Create and Assign a Role by Using the GUI in System Administration Guide: Security Services. Give each role a unique ID, and assign to the role the correct rights profile. Possible roles include the following:

    • admin Role – System Administrator Granted Rights

    • primaryadmin Role – Primary Administrator Granted Rights

    • oper Role – Operator Granted Rights

Example 4–6 Using the roleadd Command to Create a Local Security Administrator Role

In this example, the root user adds the Security Administrator role to the local system by using the roleadd command. For details, see the roleadd(1M) man page. The root user consults Table 1–2 before creating the role. At this site, separation of duty is not required to create a user.

# roleadd -c "Local Security Administrator" -d /export/home1 \
-u 110 -P "Information Security,User Security" -K lock_after_retries=no \
-K idletime=5 -K idlecmd=lock -K labelview=showsl \
-K min_label=ADMIN_LOW -K clearance=ADMIN_HIGH secadmin

The root user provides an initial password for the role.

# passwd -r files secadmin
New Password:        <Type password>
Re-enter new Password: <Retype password>
passwd: password successfully changed for secadmin

To assign the role to a local user, see Example 4–7.