Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

How to Create the Security Administrator Role in Trusted Extensions

Before You Begin

You are in the root role in the global zone.

  1. To create the role, use the roleadd command.

    For information about the command, see the roleadd(8) man page.


    Note - To use ARMOR roles, see the ARMOR example in the Creating a Role in Securing Users and Processes in Oracle Solaris 11.4 section.

      Use the following information as a guide:

    • Role name – secadmin

    • -c Local Security Officer

      Do not provide proprietary information.

    • –m home-directory

    • –u role-UID

    • –S repository

    • –K key=value

      Assign the Information Security and User Security rights profiles.


      Note - For all administrative roles, use the administrative labels for the label range, audit uses of administrative commands, set lock_after_retries=no, and do not set password expiration dates.
    # roleadd -c "Local Security Officer" -m \
    -u 110 -K profiles="Information Security,User Security" -S files \
    -K lock_after_retries=no -K audit_flags=cusa:no secadmin
  2. Provide an initial password for the role.
    # passwd -r files secadmin
    New Password: xxxxxxxx 
    Re-enter new Password: xxxxxxxx
    passwd: password successfully changed for secadmin
    #

    Assign a password of at least eight alphanumeric characters. The password for the Security Administrator role, and all passwords, must be difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.

  3. Use the Security Administrator role as a guide when you create other roles.

      Possible roles include the following:

    • admin Role – System Administrator rights profile

    • oper Role – Operator rights profile

Example 7  Creating the Security Administrator Role in LDAP

After configuring the first system with a local Security Administrator role, the administrator creates the Security Administrator role in the LDAP repository. In this scenario, LDAP clients can be administered by the Security Administrator role that is defined in LDAP.

# roleadd -c "Site Security Officer" -d server1:/rpool/pool1/BayArea/secadmin
-u 111 -K profiles="Information Security,User Security" -S ldap \
-K lock_after_retries=no -K audit_flags=cusa:no secadmin

The administrator provides an initial password for the role.

# passwd -r ldap secadmin
New Password: xxxxxxxx 
Re-enter new Password: xxxxxxxx
passwd: password successfully changed for secadmin
#

Next Steps

To assign the local role to a local user, see How to Create Users Who Can Assume Roles in Trusted Extensions.